Identity and access management for AWS CodeStar Notifications and AWS CodeStar Connections
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS CodeStar Notifications and AWS CodeStar Connections resources. IAM is an AWS service that you can use with no additional charge.
Topics
- Audience
- Authenticating with identities
- Managing access using policies
- How features in the developer tools console work with IAM
- AWS CodeStar Connections permissions reference
- Identity-based policy examples
- Using tags to control access to AWS CodeStar Connections resources
- Using notifications and connections in the console
- Allow users to view their own permissions
- Troubleshooting AWS CodeStar Notifications and AWS CodeStar Connections identity and access
- Using service-linked roles for AWS CodeStar Notifications
Audience
How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in AWS CodeStar Notifications and AWS CodeStar Connections.
Service user – If you use the AWS CodeStar Notifications and AWS CodeStar Connections service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more AWS CodeStar Notifications and AWS CodeStar Connections features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in AWS CodeStar Notifications and AWS CodeStar Connections, see Troubleshooting AWS CodeStar Notifications and AWS CodeStar Connections identity and access.
Service administrator – If you're in charge of AWS CodeStar Notifications and AWS CodeStar Connections resources at your company, you probably have full access to AWS CodeStar Notifications and AWS CodeStar Connections. It's your job to determine which AWS CodeStar Notifications and AWS CodeStar Connections features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with AWS CodeStar Notifications and AWS CodeStar Connections, see How features in the developer tools console work with IAM.
IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to AWS CodeStar Notifications and AWS CodeStar Connections. To view example AWS CodeStar Notifications and AWS CodeStar Connections identity-based policies that you can use in IAM, see Identity-based policy examples.
Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated (signed in to AWS) as the AWS account root user, as an IAM user, or by assuming an IAM role.
You can sign in to AWS as a federated identity by using credentials provided through an identity source. AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) users, your company's single sign-on authentication, and your Google or Facebook credentials are examples of federated identities. When you sign in as a federated identity, your administrator previously set up identity federation using IAM roles. When you access AWS by using federation, you are indirectly assuming a role.
Depending on the type of user you are, you can sign in to the AWS Management Console or the AWS access portal. For more information about signing in to AWS, see How to sign in to your AWS account in the AWS Sign-In User Guide.
If you access AWS programmatically, AWS provides a software development kit (SDK) and a command line interface (CLI) to cryptographically sign your requests using your credentials. If you don't use AWS tools, you must sign requests yourself. For more information about using the recommended method to sign requests yourself, see Signature Version 4 signing process in the AWS General Reference.
Regardless of the authentication method that you use, you might be required to provide additional security information. For example, AWS recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see Multi-factor authentication in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide and Using multi-factor authentication (MFA) in AWS in the IAM User Guide.
AWS account root user
When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the AWS Account Management Reference Guide.
IAM users and groups
An IAM user is an identity within your AWS account that has specific permissions for a single person or application. Where possible, we recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys. However, if you have specific use cases that require long-term credentials with IAM users, we recommend that you rotate access keys. For more information, see Rotate access keys regularly for use cases that require long-term credentials in the IAM User Guide.
An IAM group is an identity that specifies a collection of IAM users. You can't sign in as a group. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named IAMAdmins and give that group permissions to administer IAM resources.
Users are different from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see When to create an IAM user (instead of a role) in the IAM User Guide.
IAM roles
An IAM role is an identity within your AWS account that has specific permissions. It is similar to an IAM user, but is not associated with a specific person. You can temporarily assume an IAM role in the AWS Management Console by switching roles. You can assume a role by calling an AWS CLI or AWS API operation or by using a custom URL. For more information about methods for using roles, see Using IAM roles in the IAM User Guide.
IAM roles with temporary credentials are useful in the following situations:
-
Federated user access – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Creating a role for a third-party Identity Provider in the IAM User Guide. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see Permission sets in the AWS IAM Identity Center (successor to AWS Single Sign-On) User Guide.
-
Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task.
-
Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see How IAM roles differ from resource-based policies in the IAM User Guide.
-
Cross-service access – Some AWS services use features in other AWS services. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3. A service might do this using the calling principal's permissions, using a service role, or using a service-linked role.
-
Principal permissions – When you use an IAM user or role to perform actions in AWS, you are considered a principal. Policies grant permissions to a principal. When you use some services, you might perform an action that then triggers another action in a different service. In this case, you must have permissions to perform both actions. To see whether an action requires additional dependent actions in a policy, see Actions, Resources, and Condition Keys for AWS CodeStar Notifications and Actions, Resources, and Condition Keys for AWS CodeStar Connections in the Service Authorization Reference.
-
Service role – A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.
-
Service-linked role – A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
-
-
Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.
To learn whether to use IAM roles or IAM users, see When to create an IAM role (instead of a user) in the IAM User Guide.
Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal (user, root user, or role session) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. For more information about the structure and contents of JSON policy documents, see Overview of JSON policies in the IAM User Guide.
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
By default, users and roles have no permissions. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, suppose that you have a
policy that allows the iam:GetRole
action. A user with that policy can get role information from the AWS Management Console, the AWS CLI, or the AWS
API.
Identity-based policies
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Creating IAM policies in the IAM User Guide.
Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies include AWS managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see Choosing between managed policies and inline policies in the IAM User Guide.
AWS CodeStar Connections permissions reference
The following tables list each AWS CodeStar Connections API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The AWS CodeStar Connections APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when writing permissions policies that you can attach to an IAM identity (identity-based policies).
When you create a permissions policy, you specify the actions in the policy's
Action
field. You specify the resource value in the policy's
Resource
field as an ARN, with or without a wildcard character (*).
To express conditions in your connections policies, use the condition keys described here and listed in Condition keys. You can also use AWS-wide condition keys. For a complete list of AWS-wide keys, see Available keys in the IAM User Guide.
To specify an action, use the codestar-connections:
prefix followed by
the API operation name (for example, codestar-connections:ListConnections
or codestar-connections:CreateConnection
.
Using wildcards
To specify multiple actions or resources, use a wildcard character (*) in your ARN.
For example, codestar-connections:*
specifies all AWS CodeStar Connections actions and
codestar-connections:Get*
specifies all AWS CodeStar Connections actions that begin
with the word Get
. The following example grants access to all resources
with names that begin with MyConnection
.
arn:aws:codestar-connections:us-west-2:
account-ID
:connection/*
You can use wildcards only with the connection
resources
listed in the following table. You can't use wildcards with
region
or account-id
resources. For more information about wildcards, see IAM identifiers in
IAM User Guide.
Topics
Permissions for managing connections
A role or user designated to use the AWS CLI or SDK to view, create, or delete connections should have permissions limited to the following.
Note
You cannot complete or use a connection in the console with only the following permissions. You need to add the permissions in Permissions for completing connections.
codestar-connections:CreateConnection codestar-connections:DeleteConnection codestar-connections:GetConnection codestar-connections:ListConnections
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required permissions for managing connections | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CreateConnection |
Required to use the CLI or console to create a connection. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DeleteConnection |
Required to use the CLI or console to delete a connection. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GetConnection |
Required to use the CLI or console to view details about a connection. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ListConnections |
Required to use the CLI or console to list all connections in the account. |
arn:aws:codestar-connections: |
These operations support the following condition keys:
Action | Condition keys |
---|---|
|
|
codestar-connections:DeleteConnection |
N/A |
codestar-connections:GetConnection |
N/A |
codestar-connections:ListConnections |
codestar-connections:ProviderTypeFilter |
Permissions for managing hosts
A role or user designated to use the AWS CLI or SDK to view, create, or delete hosts should have permissions limited to the following.
Note
You cannot complete or use a connection in the host with only the following permissions. You need to add the permissions in Permissions for setting up hosts.
codestar-connections:CreateHost codestar-connections:DeleteHost codestar-connections:GetHost codestar-connections:ListHosts
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required permissions for managing hosts | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CreateHost |
Required to use the CLI or console to create a host. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
DeleteHost |
Required to use the CLI or console to delete a host. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GetHost |
Required to use the CLI or console to view details about a host. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ListHosts |
Required to use the CLI or console to list all hosts in the account. |
arn:aws:codestar-connections: |
These operations support the following condition keys:
Action | Condition keys |
---|---|
|
|
codestar-connections:DeleteHost |
N/A |
codestar-connections:GetHost |
N/A |
codestar-connections:ListHosts |
codestar-connections:ProviderTypeFilter |
Permissions for completing connections
A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. Use the following permissions in addition to the permissions above.
The following IAM operations are used by the console when performing a
browser-based handshake. The ListInstallationTargets
,
GetInstallationUrl
, StartOAuthHandshake
,
UpdateConnectionInstallation
, and
GetIndividualAccessToken
are IAM policy permissions. They are not
API actions.
codestar-connections:GetIndividualAccessToken codestar-connections:GetInstallationUrl codestar-connections:ListInstallationTargets codestar-connections:StartOAuthHandshake codestar-connections:UpdateConnectionInstallation
Based on this, the following permissions are needed to use, create, update, or delete a connection in the console.
codestar-connections:CreateConnection codestar-connections:DeleteConnection codestar-connections:GetConnection codestar-connections:ListConnections codestar-connections:UseConnection codestar-connections:ListInstallationTargets codestar-connections:GetInstallationUrl codestar-connections:StartOAuthHandshake codestar-connections:UpdateConnectionInstallation codestar-connections:GetIndividualAccessToken
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required permissions for completing connections | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
These operations support the following condition keys.
Action | Condition keys |
---|---|
codestar-connections:GetIndividualAccessToken |
codestar-connections:ProviderType |
codestar-connections:GetInstallationUrl |
codestar-connections:ProviderType |
|
N/A |
codestar-connections:StartOAuthHandshake |
codestar-connections:ProviderType |
codestar-connections:UpdateConnectionInstallation |
codestar-connections:InstallationId |
Permissions for setting up hosts
A role or user designated to manage connections in the console should have the permissions required to set up a host in the console, which includes authorizing the handshake to the provider and installing the host app. Use the following permissions in addition to the permissions for hosts above.
The following IAM operations are used by the console when performing a
browser-based host registration. RegisterAppCode
and
StartAppRegistrationHandshake
are IAM policy permissions. They
are not API actions.
codestar-connections:RegisterAppCode codestar-connections:StartAppRegistrationHandshake
Based on this, the following permissions are needed to use, create, update, or delete a connection in the console that requires a host (such as installed provider types).
codestar-connections:CreateConnection codestar-connections:DeleteConnection codestar-connections:GetConnection codestar-connections:ListConnections codestar-connections:UseConnection codestar-connections:ListInstallationTargets codestar-connections:GetInstallationUrl codestar-connections:StartOAuthHandshake codestar-connections:UpdateConnectionInstallation codestar-connections:GetIndividualAccessToken codestar-connections:RegisterAppCode codestar-connections:StartAppRegistrationHandshake
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required permissions for completing host setup | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete host setup. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use the console to complete host setup. This is an IAM policy permission only, not an API action. |
arn:aws:codestar-connections: |
These operations support the following condition keys.
Passing a connection to a service
When a connection is passed to a service (for example, when a connection ARN is
provided in a pipeline definition to create or update a pipeline) the user must have
the codestar-connections:PassConnection
permission.
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required permissions for passing a connection | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to pass a connection to a service. |
arn:aws:codestar-connections: |
This operation also supports the following condition key:
-
codestar-connections:PassedToService
Supported values for condition keys | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Key | Valid action providers | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Using a connection
When a service like CodePipeline uses a connection, the service role must have the
codestar-connections:UseConnection
permission for a given
connection.
To manage connections in the console, the user policy must have the
codestar-connections:UseConnection
permission.
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required action for using connections | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to use a connection. |
arn:aws:codestar-connections: |
This operation also supports the following condition keys:
-
codestar-connections:BranchName
-
codestar-connections:FullRepositoryId
-
codestar-connections:OwnerId
-
codestar-connections:ProviderAction
-
codestar-connections:ProviderPermissionsRequired
-
codestar-connections:RepositoryName
Supported values for condition keys | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Key | Valid action providers | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The user name and repository name of a Bitbucket repository,
such as |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
read_only or read_write |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
For information, see the next section. |
The required condition keys for some functionality might change over time. We
recommend that you use codestar-connections:UseConnection
to control
access to a connection unless your access control requirements require different
permissions.
Supported access types
for ProviderAction
When a connection is used by an AWS service, it results in API calls being made
to your source code provider. For example, a service might list repositories for a
Bitbucket connection by calling the
https://api.bitbucket.org/2.0/repositories/
API.username
The ProviderAction
condition key allows you to restrict which APIs on
a provider can be called. Because the API path might be generated dynamically, and
the path varies from provider to provider, the ProviderAction
value is
mapped to an abstract action name rather than the URL of the API. This allows you to
write policies that have the same effect regardless of the provider type for the
connection.
The following are the access types that are granted for each of the supported
ProviderAction
values. The following are IAM policy permissions.
They are not API actions.
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections supported access types for ProviderAction | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections permission | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to access information about a branch, such as the latest commit for that branch. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to access a list of public and private repositories, including details about those repositories, that belong to an owner. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to access a list of owners that the connection has access to. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to access the list of branches that exist on a given repository. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to read source code and upload it to Amazon S3. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to write to a repository using Git. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to read from a repository using Git. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GetUploadArchiveToS3Status |
Required to access the status of an upload, including any
error messages, started by
|
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
CreatePullRequestDiffComment |
Required to access comments on a pull request. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
GetPullRequest |
Required to view pull requests for a repository. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to view a list of commits for a repository branch. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to view a list of files for a commit. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to view a list of comments for a pull request. |
arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to view a list of commits for a pull request. |
arn:aws:codestar-connections: |
Supported permissions for tagging connection resources
The following IAM operations are used when tagging connection resources.
codestar-connections:ListTagsForResource codestar-connections:TagResource codestar-connections:UntagResource
Use the scroll bars to see the rest of the table.
AWS CodeStar Connections required actions for tagging connection resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS CodeStar Connections actions | Required permissions | Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to view a list of tags associated with the connection resource. |
arn:aws:codestar-connections: arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to tag a connection resource. |
arn:aws:codestar-connections: arn:aws:codestar-connections: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Required to remove tags from a connection resource. |
arn:aws:codestar-connections: arn:aws:codestar-connections: |
Using notifications and connections in the console
The notifications experience is built into the CodeBuild, CodeCommit, CodeDeploy, and CodePipeline consoles, as well as in the Developer Tools console in the Settings navigation bar itself. To access notifications in the consoles, you must either have one of the managed policies for those services applied, or you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS CodeStar Notifications and AWS CodeStar Connections resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy. For more information about granting access to AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, and AWS CodePipeline, including access to those consoles, see the following topics:
-
CodeBuild: Using identity-based policies for CodeBuild
-
CodeCommit: Using identity-based policies for CodeCommit
-
AWS CodeDeploy: Identity and access management for AWS CodeDeploy
-
CodePipeline: Access control with IAM policies
AWS CodeStar Notifications does not have any AWS managed policies. To provide access to notification functionality, you must either apply one of the managed policies for one of the services listed previously, or you must create policies with the level of permission you want to grant to users or entities, and then attach those policies to the users, groups, or roles that require those permissions. For more information and examples, see the following:
AWS CodeStar Connections does not have any AWS managed policies. You use the permissions and combinations of permissions for access, such as the permissions detailed in Permissions for completing connections.
For more information, see the following:
You don't need to allow console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }