Permissions and examples for AWS CodeStar Connections - Developer Tools console

Permissions and examples for AWS CodeStar Connections

The following policy statements and examples can help you manage AWS CodeStar Connections.

For information about how to create an IAM identity-based policy using these example JSON policy documents, see Creating policies on the JSON tab in the IAM User Guide.

Example: A policy for creating AWS CodeStar Connections with the CLI and viewing with the console

A role or user designated to use the AWS CLI or SDK to view, create, tag, or delete connections should have permissions limited to the following.

Note

You cannot complete a connection in the console with only the following permissions. You need to add the permissions in the next section.

To use the console to view a list of available connections, view tags, and use a connection, use the following policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConnectionsFullAccess", "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:DeleteConnection", "codestar-connections:UseConnection", "codestar-connections:GetConnection", "codestar-connections:ListConnections", "codestar-connections:TagResource", "codestar-connections:ListTagsForResource", "codestar-connections:UntagResource" ], "Resource": "*" } ] }

Example: A policy for creating AWS CodeStar Connections with the console

A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. UseConnection should also be added to use the connection in the console. Use the following policy to view, use, create, tag, or delete a connection in the console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:DeleteConnection", "codestar-connections:GetConnection", "codestar-connections:ListConnections", "codestar-connections:GetInstallationUrl", "codestar-connections:GetIndividualAccessToken", "codestar-connections:ListInstallationTargets", "codestar-connections:StartOAuthHandshake", "codestar-connections:UpdateConnectionInstallation", "codestar-connections:UseConnection", "codestar-connections:TagResource", "codestar-connections:ListTagsForResource", "codestar-connections:UntagResource" ], "Resource": [ "*" ] } ] }

Example: An administrator-level policy for managing AWS CodeStar Connections

In this example, you want to grant an IAM user in your AWS account full access to AWS CodeStar connections so that the user can add, update, and delete connections. This is a full access policy, equivalent to the AWSCodePipeline_FullAccess managed policy. Like that managed policy, you should only attach this kind of policy statement to IAM users, groups, or roles that require full administrative access to connections across your AWS account.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConnectionsFullAccess", "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:DeleteConnection", "codestar-connections:UseConnection", "codestar-connections:GetConnection", "codestar-connections:ListConnections", "codestar-connections:ListInstallationTargets", "codestar-connections:GetInstallationUrl", "codestar-connections:StartOAuthHandshake", "codestar-connections:UpdateConnectionInstallation", "codestar-connections:GetIndividualAccessToken", "codestar-connections:TagResource", "codestar-connections:ListTagsForResource", "codestar-connections:UntagResource" ], "Resource": "*" } ] }

Example: A contributor-level policy for using AWS CodeStar Connections

In this example, you want to grant access to the day-to-day usage of AWS CodeStar connections, such as creating and viewing details of connections, but not to more destructive actions, such as deleting connections.

{ "Version": "2012-10-17", "Sid": "AWSCodeStarConnectionsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:UseConnection", "codestar-connections:GetConnection", "codestar-connections:ListConnections", "codestar-connections:ListInstallationTargets", "codestar-connections:GetInstallationUrl", "codestar-connections:GetIndividualAccessToken", "codestar-connections:StartOAuthHandshake", "codestar-connections:UpdateConnectionInstallation", "codestar-connections:ListTagsForResource" ], "Resource": "*" } ] }

Example: A read-only-level policy for using AWS CodeStar Connections

In this example, you want to grant an IAM user in your account read-only access to the connections in your AWS account. This example shows how you might create a policy that allows viewing these items. This is the equivalent to the permissions included as part of the AWSCodeBuildReadOnlyAccess, AWSCodeCommitReadOnly, and AWSCodePipeline_ReadOnlyAccess managed policies.

{ "Version": "2012-10-17", "Id": "CodeNotification__ReadOnly", "Statement": [ { "Sid": "Reads_API_Access", "Effect": "Allow", "Action": [ "codestar-connections:GetConnection", "codestar-connections:ListConnections", "codestar-connections:ListInstallationTargets", "codestar-connections:GetInstallationUrl", "codestar-connections:ListTagsForResource" ], "Resource": "*" } ] }

Example: A scoped-down policy for using AWS CodeStar Connections with a specified repository

In the following example, the customer wants the build execution role to access the specified Bitbucket repository. The policy on the CodeBuild execution role:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codestar-connections:UseConnection" ], "Resource": "arn:aws:codestar-connections:us-west-2:connection:3dee99b9-172f-4ebe-a257-722365a39557", "Condition": {"ForAllValues:StringEquals": {"codestar-connections:FullRepositoryId": "myrepoowner/myreponame"}} } }

Example: A policy to use a connection with CodePipeline

In the following example, an administrator wants users to use a connection with CodePipeline. The policy attached to the user:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codestar-connections:PassConnection" ], "Resource": "arn:aws:codestar-connections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f", "Condition": {"ForAllValues:StringEquals": {"codestar-connections:PassedToService": "codepipeline.amazonaws.com"}} } }

Example: Use a build execution role for Bitbucket read operations with AWS CodeStar Connections

In the following example, the customer wants the build execution role to perform read operations on Bitbucket regardless of the repository. The policy on the build execution role:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codestar-connections:UseConnection" ], "Resource": "arn:aws:codestar-connections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f", "Condition": {"ForAllValues:StringEquals": {"codestar-connections:ProviderPermissionsRequired": "read_only"}} } }

Example: Limit the build execution role from performing operations with AWS CodeStar Connections

In the following example, the customer wants to prevent the build execution role from performing an operation like CreateRepository. The policy on the build execution role:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "codestar-connections:UseConnection" ], "Resource": "arn:aws:codestar-connections:us-west-2:connection/aEXAMPLE-8aad-4d5d-8878-dfcab0bc441f", "Condition": {"ForAllValues:StringNotEquals": {"codestar-connections:ProviderPermissionsRequired": "CreateRepository"}} } }