Permissions and examples for AWS CodeConnections
The following policy statements and examples can help you manage AWS CodeConnections.
For information about how to create an IAM identity-based policy using these example JSON policy documents, see Creating policies on the JSON tab in the IAM User Guide.
Example: A policy for creating AWS CodeConnections with the CLI and viewing with the console
A role or user designated to use the AWS CLI or SDK to view, create, tag, or delete connections should have permissions limited to the following.
Note
You cannot complete a connection in the console with only the following permissions. You need to add the permissions in the next section.
To use the console to view a list of available connections, view tags, and use a connection, use the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConnectionsFullAccess", "Effect": "Allow", "Action": [ "codeconnections:CreateConnection", "codeconnections:DeleteConnection", "codeconnections:UseConnection", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:TagResource", "codeconnections:ListTagsForResource", "codeconnections:UntagResource" ], "Resource": "*" } ] }
Example: A policy for creating AWS CodeConnections with the console
A role or user designated to manage connections in the console should have the
permissions required to complete a connection in the console and create an
installation, which includes authorizing the handshake to the provider and
creating installations for connections to use. UseConnection should
also be added to use the connection in the console. Use the following policy to
view, use, create, tag, or delete a connection in the console.
Note
Currently, if you use the console to create a connection, this will only create resources with codestar-connections in the resource ARN. To create a resource that will have the codeconnections service prefix in the ARN, use the CLI, SDK, or CFN. Resources with both service prefixes will still display in the console. Console resource creation will be available beginning July 1, 2024.
Note
For resources created using the console, policy statement actions must
include codestar-connections as the service prefix as shown in
the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:DeleteConnection", "codestar-connections:GetConnection", "codestar-connections:ListConnections", "codestar-connections:GetInstallationUrl", "codestar-connections:GetIndividualAccessToken", "codestar-connections:ListInstallationTargets", "codestar-connections:StartOAuthHandshake", "codestar-connections:UpdateConnectionInstallation", "codestar-connections:UseConnection", "codestar-connections:TagResource", "codestar-connections:ListTagsForResource", "codestar-connections:UntagResource" ], "Resource": [ "*" ] } ] }
Example: An administrator-level policy for managing AWS CodeConnections
In this example, you want to grant an IAM user in your AWS account full access to CodeConnections so that the user can add, update, and delete connections. This is a full access policy, equivalent to the AWSCodePipeline_FullAccess managed policy. Like that managed policy, you should only attach this kind of policy statement to IAM users, groups, or roles that require full administrative access to connections across your AWS account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConnectionsFullAccess", "Effect": "Allow", "Action": [ "codeconnections:CreateConnection", "codeconnections:DeleteConnection", "codeconnections:UseConnection", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListInstallationTargets", "codeconnections:GetInstallationUrl", "codeconnections:StartOAuthHandshake", "codeconnections:UpdateConnectionInstallation", "codeconnections:GetIndividualAccessToken", "codeconnections:TagResource", "codeconnections:ListTagsForResource", "codeconnections:UntagResource" ], "Resource": "*" } ] }
Example: A contributor-level policy for using AWS CodeConnections
In this example, you want to grant access to the day-to-day usage of CodeConnections, such as creating and viewing details of connections, but not to more destructive actions, such as deleting connections.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCodeConnectionsPowerUserAccess", "Effect": "Allow", "Action": [ "codeconnections:CreateConnection", "codeconnections:UseConnection", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListInstallationTargets", "codeconnections:GetInstallationUrl", "codeconnections:GetIndividualAccessToken", "codeconnections:StartOAuthHandshake", "codeconnections:UpdateConnectionInstallation", "codeconnections:ListTagsForResource" ], "Resource": "*" } ] }
Example: A read-only-level policy for using AWS CodeConnections
In this example, you want to grant an IAM user in your account read-only access to the connections in your AWS account. This example shows how you might create a policy that allows viewing these items.
{ "Version": "2012-10-17", "Id": "Connections__ReadOnly", "Statement": [ { "Sid": "Reads_API_Access", "Effect": "Allow", "Action": [ "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListInstallationTargets", "codeconnections:GetInstallationUrl", "codeconnections:ListTagsForResource" ], "Resource": "*" } ] }
Example: A scoped-down policy for using AWS CodeConnections with a specified repository
In the following example, the customer wants the CodeBuild service role to access the specified Bitbucket repository. The policy on the CodeBuild service role:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codeconnections:UseConnection" ], "Resource": "arn:aws:codeconnections:us-west-2:connection:3dee99b9-172f-4ebe-a257-722365a39557", "Condition": {"ForAllValues:StringEquals": {"codeconnections:FullRepositoryId": "myrepoowner/myreponame"}} } }
Example: A policy to use a connection with CodePipeline
In the following example, an administrator wants users to use a connection with CodePipeline. The policy attached to the user:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codeconnections:PassConnection" ], "Resource": "arn:aws:codeconnections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f", "Condition": {"ForAllValues:StringEquals": {"codeconnections:PassedToService": "codepipeline.amazonaws.com"}} } }
Example: Use a CodeBuild service role for Bitbucket read operations with AWS CodeConnections
In the following example, the customer wants the CodeBuild service role to perform read operations on Bitbucket regardless of the repository. The policy on the CodeBuild service role:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codeconnections:UseConnection" ], "Resource": "arn:aws:codeconnections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f", "Condition": {"ForAllValues:StringEquals": {"codeconnections:ProviderPermissionsRequired": "read_only"}} } }
Example: Limit the CodeBuild service role from performing operations with AWS CodeConnections
In the following example, the customer wants to prevent the CodeBuild service role
from performing an operation like CreateRepository. The policy on
the CodeBuild service role:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codeconnections:UseConnection" ], "Resource": "arn:aws:codeconnections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f", "Condition": {"ForAllValues:StringNotEquals": {"codeconnections:ProviderAction": "CreateRepository"}} } }
