CodePipeline permissions reference - AWS CodePipeline

CodePipeline permissions reference

Use the following table as a reference when you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies). The table lists each CodePipeline API operation and the corresponding actions for which you can grant permissions to perform the action. For operations that support resource-level permissions, the table lists the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field.

Resource-level permissions are those that allow you to specify which resources users are allowed to perform actions on. AWS CodePipeline provides partial support for resource-level permissions. This means that for some AWS CodePipeline API calls, you can control when users are allowed to use those actions based on conditions that must be met, or which resources users are allowed to use. For example, you can grant users permission to list pipeline execution information, but only for a specific pipeline or pipelines.

Note

The Resources column lists the resource required for API calls that support resource-level permissions. For API calls that do not support resource-level permissions, you can grant users permission to use it, but you have to specify a wildcard (*) for the resource element of your policy statement.

CodePipeline API Operations and required permissions for actions
CodePipeline API operations Required permissions (API actions) Resources

AcknowledgeJob

codepipeline:AcknowledgeJob

Required to view information about a specified job and whether that job has been received by the job worker. Used for custom actions only.

Supports only a wildcard (*) in the policy Resource element.

AcknowledgeThirdPartyJob

codepipeline:AcknowledgeThirdPartyJob

Required to confirm a job worker has received the specified job. Used for partner actions only.

Supports only a wildcard (*) in the policy Resource element.

CreateCustomActionType

codepipeline:CreateCustomActionType

Required to create a custom action that can be used in all pipelines associated with the AWS account. Used for custom actions only.

Action Type

arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version

CreatePipeline

codepipeline:CreatePipeline

Required to create a pipeline.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

DeleteCustomActionType

codepipeline:DeleteCustomActionType

Required to mark a custom action as deleted. PollForJobs for the custom action fails after the action is marked for deletion. Used for custom actions only.

Action Type

arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version

DeletePipeline

codepipeline:DeletePipeline

Required to delete a pipeline.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

DeleteWebhook

codepipeline:DeleteWebhook

Required to delete a webhook.

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

DeregisterWebhookWithThirdParty

codepipeline:DeregisterWebhookWithThirdParty

Before a webhook is deleted, required to remove the connection between the webhook that was created by CodePipeline and the external tool with events to be detected. Currently supported only for webhooks that target an action type of GitHub.

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

DisableStageTransition

codepipeline:DisableStageTransition

Required to prevent artifacts in a pipeline from transitioning to the next stage in the pipeline.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

EnableStageTransition

codepipeline:EnableStageTransition

Required to enable artifacts in a pipeline to transition to a stage in a pipeline.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

GetJobDetails

codepipeline:GetJobDetails

Required to retrieve information about a job. Used for custom actions only.

No resource required.

GetPipeline

codepipeline:GetPipeline

Required to retrieve the structure, stages, actions, and metadata of a pipeline, including the pipeline ARN.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

GetPipelineExecution

codepipeline:GetPipelineExecution

Required to retrieve information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

GetPipelineState

codepipeline:GetPipelineState

Required to retrieve information about the state of a pipeline, including the stages and actions.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

GetThirdPartyJobDetails

codepipeline:GetThirdPartyJobDetails

Required to request the details of a job for a third-party action. Used for partner actions only.

Supports only a wildcard (*) in the policy Resource element.
ListActionExecutions

codepipeline:ListActionExecutions

Required to generate a summary of all executions for an action.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

ListActionTypes

codepipeline:ListActionTypes

Required to generate a summary of all CodePipeline action types associated with your account.

Supports only a wildcard (*) in the policy Resource element.

ListPipelineExecutions

codepipeline:ListPipelineExecutions

Required to generate a summary of the most recent executions for a pipeline.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

ListPipelines

codepipeline:ListPipelines

Required to generate a summary of all of the pipelines associated with your account.

Pipeline ARN with wildcard (resource-level permissions at the pipeline name level are not supported)

arn:aws:codepipeline:region:account:*

ListTagsForResource

codepipeline:ListTagsForResource

Required to list tags for a specified resource.

Resources are optional.

Action Type

arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

ListWebhooks

codepipeline:ListWebhooks

Required to list all of the webhooks in the account for that Region.

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

PollForJobs

codepipeline:PollForJobs

Required to get a listing of all of the webhooks in this Region for this account.

Action Type

arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version

PollForThirdPartyJobs

codepipeline:PollForThirdPartyJobs

Required to determine whether there are any third-party jobs for a job worker to act on. Used for partner actions only.

Supports only a wildcard (*) in the policy Resource element.

PutActionRevision

codepipeline:PutActionRevision

Required to report information to CodePipeline about new revisions to a source

Action

arn:aws:codepipeline:region:account:pipeline-name/stage-name/action-name

PutApprovalResult

codepipeline:PutApprovalResult

Required to report the response to a manual approval request to CodePipeline. Valid responses are Approved and Rejected.

Action

arn:aws:codepipeline:region:account:pipeline-name/stage-name/action-name

Note

This API call supports resource-level permissions. However, you might encounter an error if you use the IAM console or Policy Generator to create policies with "codepipeline:PutApprovalResult" that specify a resource ARN. If you encounter an error, you can use the JSON tab in the IAM console or the CLI to create a policy.

PutJobFailureResult

codepipeline:PutJobFailureResult

Required to report the failure of a job as returned to the pipeline by a job worker. Used for custom actions only.

Supports only a wildcard (*) in the policy Resource element.

PutJobSuccessResult

codepipeline:PutJobSuccessResult

Required to report the success of a job as returned to the pipeline by a job worker. Used for custom actions only.

Supports only a wildcard (*) in the policy Resource element.

PutThirdPartyJobFailureResult

codepipeline:PutThirdPartyJobFailureResult

Required to report the failure of a third-party job as returned to the pipeline by a job worker. Used for partner actions only.

Supports only a wildcard (*) in the policy Resource element.

PutThirdPartyJobSuccessResult

codepipeline:PutThirdPartyJobSuccessResult

Required to report the success of a third-party job as returned to the pipeline by a job worker. Used for partner actions only.

Supports only a wildcard (*) in the policy Resource element.

PutWebhook

codepipeline:PutWebhook

Required to create a webhook.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

RegisterWebhookWithThirdParty

codepipeline:RegisterWebhookWithThirdParty

After a webhook is created, required to configure supported third parties to call the generated webhook URL.

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

RetryStageExecution

codepipeline:RetryStageExecution

Required to resume the pipeline execution by retrying the last failed actions in a stage.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name/stage-name

StartPipelineExecution

codepipeline:StartPipelineExecution

Required to start the specified pipeline (specifically, to start processing the latest commit to the source location specified as part of the pipeline).

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

StopPipelineExecution

codepipeline:StopPipelineExecution

Required to stop the specified pipeline execution. You choose to either stop the pipeline execution by completing in-progress actions without starting subsequent actions, or by abandoning in-progress actions.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

TagResource

codepipeline:TagResource

Required to tag the specified resource.

Resources are optional.

Action Type

arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

UntagResource

codepipeline:UntagResource

Required to untag the specified resource.

Resources are optional.

Action Type

arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version

Pipeline

arn:aws:codepipeline:region:account:pipeline-name

Webhook

arn:aws:codepipeline:region:account:webhook:webhook-name

UpdatePipeline

codepipeline:UpdatePipeline

Required to update a specified pipeline with edits or changes to its structure.

Pipeline

arn:aws:codepipeline:region:account:pipeline-name