針對 使用以身分為基礎的政策 (IAM 政策) CodeCommit - AWS CodeCommit

針對 使用以身分為基礎的政策 (IAM 政策) CodeCommit

下列身分型政策範例示範帳戶管理員如何將許可政策連接至 IAM 身分 (即使用者、群組和角色),以授予許可對 CodeCommit 資源執行操作。

重要

建議您先檢閱介紹主題,理解可用來管理 CodeCommit 資源存取的基本槪念和選項。如需詳細資訊,請參閱 管理 CodeCommit 資源存取許可的概觀.

以下是身分型許可政策範例:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:BatchGetRepositories" ], "Resource" : [ "arn:aws:codecommit:us-east-2:111111111111:MyDestinationRepo", "arn:aws:codecommit:us-east-2:111111111111:MyDemo*" ] } ] }

這個政策有一個陳述式,可讓使用者取得 CodeCommit 區域中有關名為 MyDestinationRepo 的 CodeCommit 儲存庫,以及名稱開頭為 MyDemo 的所有 us-east-2 儲存庫的資訊。

使用 CodeCommit 主控台所需的許可

若要查看每個 CodeCommit API 操作所需的許可,以及 CodeCommit 操作的詳細資訊,請參閱 CodeCommit 許可參考.

若要允許使用者使用 CodeCommit 主控台,管理員必須將 CodeCommit 動作的許可授予使用者。例如,您可以將 AWSCodeCommitPowerUser 受管政策或其同等政策連接到使用者或群組。

除了透過身分型政策而授予使用者的許可,CodeCommit 還需要 AWS Key Management Service (AWS KMS) 動作的許可。IAM 使用者不需要這些動作的明確 Allow 許可,但不能有任何將下列許可設為 Deny: 的政策連接至使用者:

"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey"

如需加密和 CodeCommit 的詳細資訊,請參閱AWS KMS 和加密.

在主控台檢視資源

CodeCommit 主控台顯示需要 ListRepositories 許可,才能顯示您所登入的 AWS 區域 AWS 帳戶中的儲存庫清單。主控台也包含 Go to resource (移至資源) 函數,可快速執行不區分大小寫的資源搜尋。此搜尋是在您登入的 AWS 區域中在您的 AWS 帳戶中執行。將會跨以下服務來顯示以下資源:

  • AWS CodeBuild:組建專案

  • AWS CodeCommit:儲存庫

  • AWS CodeDeploy:應用程式

  • AWS CodePipeline:管道

若要跨所有服務中的資源執行此搜尋,您必須擁有以下許可:

  • CodeBuild: ListProjects

  • CodeCommit: ListRepositories

  • CodeDeploy: ListApplications

  • CodePipeline: ListPipelines

如果您沒有某項服務的許可,則不會傳回該服務之資源的結果。即使您有許可來檢視資源,但如果有明確的 Deny 而無法檢視特定資源,則不會傳回這些資源。

的 AWS 受管 (預先定義) 政策CodeCommit

AWS 提供由 IAM 所建立和管理的獨立 AWS. 政策,解決許多常用案例。這些 AWS 受管政策授予常用案例所需的許可。針對相關政策已授予的使用者的責任所需,CodeCommit 的受管政策也提供在其他服務中執行操作的許可,例如 IAM、Amazon SNS 和 Amazon CloudWatch Events 例如,AWSCodeCommitFullAccess 政策是管理層級的使用者政策,可讓具有此政策的使用者建立和管理儲存庫的 CloudWatch 活動 規則 (名稱開頭為 codecommit 的規則) 和儲存庫相關事件通知的 Amazon SNS 主題 (名稱開頭為 codecommit 的主題),以及在 CodeCommit. 中管理儲存庫。

以下可連接到您帳戶中使用者的 AWS 受管政策專屬於 CodeCommit.

AWSCodeCommitFullAccess

AWSCodeCommitFullAccess – 授予對 的完整存取權CodeCommit。將此政策只套用至管理層級使用者,以授予他們能完全控制 CodeCommit 帳戶中 AWS 儲存庫和相關資源的權利 (包括能夠刪除儲存庫)。

AWSCodeCommitFullAccess 政策包含以下政策陳述式:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:*" ], "Resource": "*" }, { "Sid": "CloudWatchEventsCodeCommitRulesAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/codecommit*" }, { "Sid": "SNSTopicAndSubscriptionAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:DeleteTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codecommit*" }, { "Sid": "SNSTopicAndSubscriptionReadAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "LambdaReadOnlyListAccess", "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Sid": "IAMReadOnlyListAccess", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "*" }, { "Sid": "IAMReadOnlyConsoleAccess", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMUserSSHKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMSelfManageServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ] }

AWSCodeCommitPowerUser

AWSCodeCommitPowerUser – 允許使用者存取 CodeCommit 的所有功能及儲存庫相關的資源,但不允許他們刪除 CodeCommit 儲存庫,或在其他 AWS 服務 (例如 Amazon CloudWatch Events.) 中建立或刪除儲存庫相關的資源。建議將此政策套用到大多數使用者。

AWSCodeCommitPowerUser 政策包含以下政策陳述式:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:AssociateApprovalRuleTemplateWithRepository", "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", "codecommit:BatchGet*", "codecommit:BatchDescribe*", "codecommit:Create*", "codecommit:DeleteBranch", "codecommit:DeleteFile", "codecommit:Describe*", "codecommit:DisassociateApprovalRuleTemplateFromRepository", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get*", "codecommit:List*", "codecommit:Merge*", "codecommit:OverridePullRequestApprovalRules", "codecommit:Put*", "codecommit:Post*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*", "codecommit:GitPull", "codecommit:GitPush" ], "Resource": "*" }, { "Sid": "CloudWatchEventsCodeCommitRulesAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/codecommit*" }, { "Sid": "SNSTopicAndSubscriptionAccess", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:Unsubscribe" ], "Resource": "arn:aws:sns:*:*:codecommit*" }, { "Sid": "SNSTopicAndSubscriptionReadAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "LambdaReadOnlyListAccess", "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Sid": "IAMReadOnlyListAccess", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "*" }, { "Sid": "IAMReadOnlyConsoleAccess", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMUserSSHKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMSelfManageServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ] }

AWSCodeCommitReadOnly

AWSCodeCommitReadOnly – 授予對 CodeCommit 和其他 AWS 服務中儲存庫相關資源的唯讀存取,以及能夠建立和管理其自己的 CodeCommit 相關資源 (例如其 IAM 使用者在存取儲存庫時所使用的 Git 登入資料和 SSH 金鑰)。將此政策套用至使用者,以授予他們讀取儲存庫內容的權利 (但不得變更內容)。

AWSCodeCommitReadOnly 政策包含以下政策陳述式:

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "codecommit:BatchGet*", "codecommit:BatchDescribe*", "codecommit:Describe*", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get*", "codecommit:List*", "codecommit:GitPull" ], "Resource":"*" }, { "Sid":"CloudWatchEventsCodeCommitRulesReadOnlyAccess", "Effect":"Allow", "Action":[ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource":"arn:aws:events:*:*:rule/codecommit*" }, { "Sid":"SNSSubscriptionAccess", "Effect":"Allow", "Action":[ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource":"*" }, { "Sid":"LambdaReadOnlyListAccess", "Effect":"Allow", "Action":[ "lambda:ListFunctions" ], "Resource":"*" }, { "Sid":"IAMReadOnlyListAccess", "Effect":"Allow", "Action":[ "iam:ListUsers" ], "Resource":"*" }, { "Sid":"IAMReadOnlyConsoleAccess", "Effect":"Allow", "Action":[ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials", "iam:ListAccessKeys", "iam:GetSSHPublicKey" ], "Resource":"arn:aws:iam::*:user/${aws:username}" }, { "Sid":"CodeStarNotificationsReadOnlyAccess", "Effect":"Allow", "Action":[ "codestar-notifications:DescribeNotificationRule" ], "Resource":"*", "Condition":{ "StringLike":{ "codestar-notifications:NotificationsForResource":"arn:aws:codecommit:*" } } }, { "Sid":"CodeStarNotificationsListAccess", "Effect":"Allow", "Action":[ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource":"*" }, { "Sid": "AmazonCodeGuruReviewerReadOnlyAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" } ] }

CodeCommit managed policies and notifications

AWS CodeCommit supports notifications, which can notify users of important changes to repositories. Managed policies for CodeCommit include policy statements for notification functionality. For more information, see What are notifications?.

Permissions related to notifications in full access managed policies

The AWSCodeCommitFullAccess managed policy includes the following statements to allow full access to notifications. Users with this managed policy applied can also create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users to topics, list topics to choose as targets for notification rules, and list AWS Chatbot clients configured for Slack.

{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource," "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }

Permissions related to notifications in read-only managed policies

The AWSCodeCommitReadOnlyAccess managed policy includes the following statements to allow read-only access to notifications. Users with this managed policy applied can view notifications for resources, but cannot create, manage, or subscribe to them.

{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }

Permissions related to notifications in other managed policies

The AWSCodeCommitPowerUser managed policy includes the following statements to allow users to create, edit, and subscribe to notifications. Users cannot delete notification rules or manage tags for resources.

{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }

For more information about IAM and notifications, see Identity and Access Management for AWS CodeStar Notifications.

AWS CodeCommit 受管政策和 Amazon CodeGuru Reviewer

CodeCommit 支援 Amazon CodeGuru Reviewer,這項自動化程式碼檢視服務使用程式分析和機器學習來偵測您 Java 或 Python 程式碼中的常見問題並建議修正。CodeCommit 的受管政策包含 CodeGuru Reviewer 功能的政策陳述式。如需詳細資訊,請參閱什麼是 Amazon CodeGuru Reviewer

中與 CodeGuru Reviewer 相關的許可AWSCodeCommitFullAccess

AWSCodeCommitFullAccess 受管政策包含下列陳述式,允許 CodeGuru Reviewer 與 CodeCommit 儲存庫建立關聯和取消關聯。套用此受管政策的使用者,也可以檢視 CodeCommit 儲存庫與 CodeGuru Reviewer 之間的關聯狀態,以及檢視提取請求的審核任務狀態。

{ "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }

中與 CodeGuru Reviewer 相關的許可AWSCodeCommitPowerUser

受管政策包含下列陳述式,可讓使用者將儲存庫與 AWSCodeCommitPowerUser 建立關聯和取消關聯、檢視關聯狀態,以及檢視提取請求的檢視任務狀態。CodeGuru Reviewer

{ "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }

中與 CodeGuru Reviewer 相關的許可AWSCodeCommitReadOnly

受管政策包含下列陳述式,允許唯讀存取 AWSCodeCommitReadOnlyAccess 關聯狀態,並檢視提取請求的審核任務狀態。CodeGuru Reviewer套用此受管原則的使用者無法建立或取消儲存庫的關聯。

{ "Sid": "AmazonCodeGuruReviewerReadOnlyAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }

Amazon CodeGuru Reviewer 服務連結角色

當您建立儲存庫與 CodeGuru Reviewer 的關聯時,將會建立一個服務連結角色,讓 CodeGuru Reviewer 偵測提取請求中的 Java 或 Python 程式碼的問題並建議修正。服務連結角色名為 AWSServiceRoleForAmazonCodeGuruReviewer。如需詳細資訊,請參閱使用 Amazon CodeGuru Reviewer 的服務連結角色

如需詳細資訊,請參閱《中的「IAM 使用者指南AWS 受管政策.

客戶受管政策範例

您可以建立自己的自訂 IAM 政策,以允許對 CodeCommit 動作與資源的相關許可。您可以將這些自訂政策連接至需要這些許可的 IAM 使用者或群組。您也可以建立自己的自訂 IAM 政策,以整合 CodeCommit 和其他 AWS 服務。

顧客受管身分政策範例

以下範例 IAM 政策授予執行各種 CodeCommit 動作的許可。使用這些政策來限制 CodeCommit 使用者和角色如何存取 IAM 這些政策可控制使用 CodeCommit 主控台、API、 AWS SDKs或 來執行動作的能力AWS CLI。

注意

所有範例都使用 美國西部 (奧勒岡) 區域 (us-west-2) 並包含檔案帳號 IDs。

範例

範例 1:允許使用者在單一 AWS 區域執行 CodeCommit 操作

下列許可政策使用萬用字元 ("codecommit:*"),以允許使用者在 CodeCommit 區域 (而不是從其他 us-east-2 區域) 執行所有 AWS 動作。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codecommit:*", "Resource": "arn:aws:codecommit:us-east-2:111111111111:*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-2" } } }, { "Effect": "Allow", "Action": "codecommit:ListRepositories", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-2" } } } ] }

範例 2:允許使用者將 Git 用於單一儲存庫

在 CodeCommit 中,GitPull IAM 政策許可套用至任何從 CodeCommit 擷取資料的 Git 用戶端命令,包括 git fetchgit clone 等等。同樣地,GitPush IAM 政策許可適用於任何將資料傳送到 CodeCommit. 的 Git 用戶端命令。例如,如果 GitPush IAM 政策許可設為 Allow,則使用者可以使用 Git 通訊協定來推送分支刪除。對該 DeleteBranch 使用者的 IAM 操作所套用的任何許可,不影響該推送。DeleteBranch 許可適用於以 主控台、、 AWS CLI和 API SDKs執行的動作,但不適用於 Git 通訊協定。

以下範例可讓指定的使用者提取自和推送到名為 CodeCommit 的 MyDemoRepo: 儲存庫:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo" } ] }

範例 3:允許使用者從指定的 IP 地址範圍連接儲存庫

您可以建立政策,只允許 IP 地址在特定 IP 地址範圍內的使用者才能連接到 CodeCommit 儲存庫。這有兩種同樣有效的方法。您可以建立 Deny 政策,規定如果使用者的 IP 地址不在特定區域內,則不允許 CodeCommit 操作,或者,您也可以建立 Allow 政策,規定如果使用者在特定的區塊內,則允許 CodeCommit 操作。

您可以建立 Deny 政策,以拒絕所有不在特定 IP 範圍內的使用者存取。例如,您可以將 AWSCodeCommitPowerUser 受管政策和客戶受管政策,附加到所有需要存取儲存庫的使用者。以下範例政策對 IP 地址不在指定的 IP 地址區塊 203.0.113.0/16 內的使用者,拒絕所有 CodeCommit 許可:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:*" ], "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] }

以下範例政策規定僅當特定使用者的 IP 地址在指定的地址區塊 203.0.113.0/16 內時,才允許他們以 CodeCommit 受管政策的同等許可,存取名為 MyDemoRepo 的 AWSCodeCommitPowerUser 儲存庫:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:CreateBranch", "codecommit:CreateRepository", "codecommit:Get*", "codecommit:GitPull", "codecommit:GitPush", "codecommit:List*", "codecommit:Put*", "codecommit:Post*", "codecommit:Merge*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "IpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] }

範例 4:Deny 或允許分支上的動作

您可以建立政策,對使用者拒絕在一或多個分支執行您指定動作的許可。或者,您可以建立政策,以允許他們原本在儲存庫的其他分支上可能沒有的一或多個分支上執行動作。您可以使用這些政策搭配適當的受管 (預先定義) 政策。如需詳細資訊,請參閱 限制推送並整合到 中的分支 AWS CodeCommit.

例如,您可以建立一個政策,該Deny政策會限制使用者對名為 main 分支進行變更的能力,包括在名為 的儲存庫中停用該分支 MyDemoRepo。 您可以使用此政策搭配 AWSCodeCommitPowerUser 受管政策。套用這兩個政策的使用者,可以建立和移除分支、建立提取請求,以及 AWSCodeCommitPowerUser所允許的所有其他動作,但他們無法推送變更到名為主要分支、在主控台的主要CodeCommit分支中新增或編輯檔案,或是將分支或提取請求匯入主要分支。由於 Deny 套用到 GitPush,您必須在政策中包含 Null 陳述式,以便使用者從本機儲存庫推送時,允許分析初始 GitPush 呼叫的有效性。

提示

如果您要建立政策以套用至您帳號中所有儲存庫中名為 mainAWS 的所有分支,請針對 Resource指定星號 ( * ),而不是儲存庫 ARN。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:GitPush", "codecommit:DeleteBranch", "codecommit:PutFile", "codecommit:Merge*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/main" ] }, "Null": { "codecommit:References": "false" } } } ] }

以下範例政策允許使用者在AWS帳號中的所有儲存庫中,變更名為 main 的分支。它不允許變更任何其他分支。您可以使用此政策搭配 AWSCodeCommitReadOnly 受管政策,以允許自動推送至主要分支中的儲存庫。由於 Effect 是 Allow,這個範例政策無法搭配 AWSCodeCommitPowerUser. 之類的受管政策一起使用。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPush", "codecommit:Merge*" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/main" ] } } } ] }

範例 5:禁止或允許對具有標籤的儲存庫執行動作

您可以建立政策,根據 與這些儲存庫關聯的 AWS 標籤來允許或拒絕儲存庫中的動作,然後將這些政策套用至您設定來管理 IAM 使用者的 IAM 群組。例如,您可以建立一個政策,以判定任何儲存庫上具有CodeCommit標籤索引鍵 AWSStatus (狀態) 和 Secret (秘密) 值的所有動作,然後將該政策套用到您為一般開發人員建立的 IAM 群組 (Developers)。 然後,您需要確保使用這些標記儲存庫的開發人員不屬於該一般 Developers 群組,但屬於未套用限制政策的其他 IAM 群組 (SecretDevelopers)。

以下範例對標記為 key Status (金鑰CodeCommit狀態) 和 Secret (秘密) 金鑰值之儲存庫上的所有動作,遭拒:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Deny", "Action" : "codecommit:*" "Resource" : "*", "Condition" : { "StringEquals" : "aws:ResourceTag/Status": "Secret" } } ] }

您可以將特定的儲存庫 (而不是所有儲存庫) 指定為資源,以進一步精簡此策略。您也可以建立政策,允許在未以特定標籤標記的所有儲存庫上執行 CodeCommit 動作。例如,以下政策允許在所有儲存庫上執行同等的 AWSCodeCommitPowerUser 許可,但以指定標籤標記的儲存庫除外:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:CreateBranch", "codecommit:CreateRepository", "codecommit:Get*", "codecommit:GitPull", "codecommit:GitPush", "codecommit:List*", "codecommit:Put*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceTag/Status": "Secret", "aws:ResourceTag/Team": "Saanvi" } } } ] }

顧客受管整合政策範例

本節提供範例客戶受管使用者政策,以授予 CodeCommit 與其他 AWS 服務的整合許可。關於允許跨帳戶存取 CodeCommit 儲存庫的特定政策範例,請參閱配置跨帳戶訪問 AWS CodeCommit 使用角色的存儲庫.

注意

需要 AWS 區域時,所有範例都會使用 美國西部 (奧勒岡) 區域 (us-west-2並包含檔案帳號 IDs。

範例

範例 1:建立允許跨帳號存取 Amazon SNS 主題的政策

您可以設定 CodeCommit 儲存庫,讓程式碼推送或其他事件觸發動作,例如從 Amazon Simple Notification Service ( (Amazon SNS).) 傳送通知。如果您以用來建立 Amazon SNS 儲存庫的相同帳戶建立 CodeCommit 主題,則不需要設定額外的 IAM 政策或許可。您可以建立主題,然後為儲存庫建立觸發。如需詳細資訊,請參閱 為 Amazon SNS 主題建立觸發.

不過,如果您想要將觸發設定為使用另一個 Amazon SNS 帳戶中的 AWS 主題,您必須先以允許 CodeCommit 發佈到該主題的政策來設定該主題。從該另一個帳戶,開啟 Amazon SNS 主控台、從清單中選擇主題,然後在 Other topic actions (其他主題動作) 中,選擇 Edit topic policy (編輯主題政策). 在 Advanced (進階) 標籤上,修改主題的政策,以允許 CodeCommit 發布到該主題。例如,如果政策是預設政策,您要如下修改政策,變更 中的項目 red italic text 以符合您的儲存庫、Amazon SNS主題和帳號的值:

{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "sns:Subscribe", "sns:ListSubscriptionsByTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:Publish", "sns:RemovePermission", "sns:AddPermission", "sns:Receive", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", "Condition": { "StringEquals": { "AWS:SourceOwner": "111111111111" } } }, { "Sid": "CodeCommit-Policy_ID", "Effect": "Allow", "Principal": { "Service": "codecommit.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "AWS:SourceAccount": "111111111111" } } } ] }

範例 2:建立 Amazon Simple Notification Service (Amazon SNS) 主題政策,以允許 Amazon CloudWatch Events 將CodeCommit事件發布至主題

您可以將 CloudWatch 活動 設定為在事件發生時 (包括 Amazon SNS 事件) 發佈到 CodeCommit 主題。若要這樣做,您必須透過為主題建立政策或為主題修改現有的政策,確保 CloudWatch 活動 具有發佈事件到 Amazon SNS 主題的許可,類似以下內容:

{ Version":"2012-10-17", "Id":"__default_policy_ID", "Statement":[ { "Sid":"__default_statement_ID", "Effect":"Allow", "Principal":"{"AWS":"*"}, "Action": "sns:Publish" ] "Resource":"arn:aws:sns:us-east-2:123456789012:MyTopic", "Condition":{ "StringEquals":{"AWS:SourceOwner":123456789012"} } }, { "Sid":"Allow_Publish_Events", "Effect":"Allow", "Principal":{"Service":"events.amazonaws.com"}, "Action":"sns:Publish", "Resource":"arn:aws:sns:us-east-2:123456789012:MyTopic" } ] }

如需 CodeCommit 和 CloudWatch 活動 的詳細資訊,請參閱受支援服務的 CloudWatch 活動 事件範例. 如需 IAM 和 政策語言的詳細資訊,請前往 IAM JSON 政策語言文法。

範例 3:建立要與AWS Lambda觸發CodeCommit整合的政策

您可以設定CodeCommit儲存庫,讓程式碼推送或其他事件觸發動作,例如叫用 中的函數AWS Lambda。如需詳細資訊,請參閱 為 Lambda 函數建立觸發. 此資訊是專屬於觸發條件,不適用於 CloudWatch 活動.

如果您希望觸發直接執行 Lambda 函數 (而不是使用 Amazon SNS 主題來叫用 Lambda 函數),但您沒有在 Lambda 主控台設定觸發,則必須在函數的資源政策中包含類似以下的政策:

{ "Statement":{ "StatementId":"Id-1", "Action":"lambda:InvokeFunction", "Principal":"codecommit.amazonaws.com", "SourceArn":"arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "SourceAccount":"111111111111" } }

當手動設定可叫用 CodeCommit 函數的Lambda觸發時,您還必須使用 Lambda AddPermission 命令來授予許可讓 CodeCommit 叫用該函數。如需範例,請參閱允許 CodeCommit 執行 Lambda 函數為現有的 Lambda 函數建立觸發.一節。

如需 Lambda 函數的資源政策的詳細資訊,請查看 AddPermission 開發人員指南中的 https://docs.aws.amazon.com/lambda/latest/dg/intro-invocation-modes.html 和 Pull/Push AWS Lambda事件模型