# Using identity-based policies (IAM Policies) for CodeCommit Using identity-based policies (IAM policies) The following examples of identity-based policies demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) to grant permissions to perform operations on CodeCommit resources. **Important** We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your CodeCommit resources. For more information, see [Overview of managing access permissions to your CodeCommit resources](auth-and-access-control.md#auth-and-access-control-iam-access-control-identity-based). **Topics** + [ ## Permissions required to use the CodeCommit console ](#console-permissions) + [ ## Viewing resources in the console ](#console-resources) + [ # AWS managed policies for CodeCommit ](security-iam-awsmanpol.md) + [ # Customer managed policy examples ](customer-managed-policies.md) The following is an example of an identity-based permissions policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:BatchGetRepositories" ], "Resource" : [ "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo", "arn:aws:codecommit:us-east-2:111122223333:MyDemo*" ] } ] } ``` ------ This policy has one statement that allows a user to get information about the CodeCommit repository named `MyDestinationRepo` and all CodeCommit repositories that start with the name `MyDemo` in the **us-east-2** Region. ## Permissions required to use the CodeCommit console To see the required permissions for each CodeCommit API operation, and for more information about CodeCommit operations, see [CodeCommit permissions reference](auth-and-access-control-permissions-reference.md). To allow users to use the CodeCommit console, the administrator must grant them permissions for CodeCommit actions. For example, you could attach the [AWSCodeCommitPowerUser](security-iam-awsmanpol.md#managed-policies-poweruser) managed policy or its equivalent to a user or group. In addition to permissions granted to users by identity-based policies, CodeCommit requires permissions for AWS Key Management Service (AWS KMS) actions. An IAM user does not need explicit `Allow` permissions for these actions, but the user must not have any policies attached that set the following permissions to `Deny`: ``` "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ``` For more information about encryption and CodeCommit, see [AWS KMS and encryption](encryption.md). ## Viewing resources in the console The CodeCommit console requires the `ListRepositories` permission to display a list of repositories for your Amazon Web Services account in the AWS Region where you are signed in. The console also includes a **Go to resource** function to quickly perform a case insensitive search for resources. This search is performed in your Amazon Web Services account in the AWS Region where you are signed in. The following resources are displayed across the following services: + AWS CodeBuild: Build projects + AWS CodeCommit: Repositories + AWS CodeDeploy: Applications + AWS CodePipeline: Pipelines To perform this search across resources in all services, you must have the following permissions: + CodeBuild: `ListProjects` + CodeCommit: `ListRepositories` + CodeDeploy: `ListApplications` + CodePipeline: `ListPipelines` Results are not returned for a service's resources if you do not have permissions for that service. Even if you have permissions for viewing resources, specific resources will not be returned if there is an explicit `Deny` to view those resources. # AWS managed policies for CodeCommit To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions. Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant required permissions for common use cases. The managed policies for CodeCommit also provide permissions to perform operations in other services, such as IAM, Amazon SNS, and Amazon CloudWatch Events, as required for the responsibilities for the users who have been granted the policy in question. For example, the AWSCodeCommitFullAccess policy is an administrative-level user policy that allows users with this policy to create and manage CloudWatch Events rules for repositories (rules whose names are prefixed with `codecommit`) and Amazon SNS topics for notifications about repository-related events (topics whose names are prefixed with `codecommit`), as well as administer repositories in CodeCommit. The following AWS managed policies, which you can attach to users in your account, are specific to CodeCommit. **Topics** + [ ## AWS managed policy: AWSCodeCommitFullAccess ](#managed-policies-full) + [ ## AWS managed policy: AWSCodeCommitPowerUser ](#managed-policies-poweruser) + [ ## AWS managed policy: AWSCodeCommitReadOnly ](#managed-policies-read) + [ ## CodeCommit managed policies and notifications ](#notifications-permissions) + [ ## AWS CodeCommit managed policies and Amazon CodeGuru Reviewer ](#codeguru-permissions) + [ ## CodeCommit updates to AWS managed policies ](#security-iam-awsmanpol-updates) ## AWS managed policy: AWSCodeCommitFullAccess You can attach the `AWSCodeCommitFullAccess` policy to your IAM identities. This policy grants full access to CodeCommit. Apply this policy only to administrative-level users to whom you want to grant full control over CodeCommit repositories and related resources in your Amazon Web Services account, including the ability to delete repositories. The AWSCodeCommitFullAccess policy contains the following policy statement: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:*" ], "Resource": "*" }, { "Sid": "CloudWatchEventsCodeCommitRulesAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/codecommit*" }, { "Sid": "SNSTopicAndSubscriptionAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:DeleteTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codecommit*" }, { "Sid": "SNSTopicAndSubscriptionReadAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "LambdaReadOnlyListAccess", "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Sid": "IAMReadOnlyListAccess", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "*" }, { "Sid": "IAMReadOnlyConsoleAccess", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMUserSSHKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMSelfManageServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "ArnLike": { "codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" }, { "Sid": "CodeStarConnectionsReadOnlyAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" } ] } ``` ------ ## AWS managed policy: AWSCodeCommitPowerUser You can attach the `AWSCodeCommitPowerUser` policy to your IAM identities. This policy allows users access to all of the functionality of CodeCommit and repository-related resources, except it does not allow them to delete CodeCommit repositories or create or delete repository-related resources in other AWS services, such as Amazon CloudWatch Events. We recommend that you apply this policy to most users. The AWSCodeCommitPowerUser policy contains the following policy statement: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:AssociateApprovalRuleTemplateWithRepository", "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", "codecommit:BatchGet*", "codecommit:BatchDescribe*", "codecommit:Create*", "codecommit:DeleteBranch", "codecommit:DeleteFile", "codecommit:Describe*", "codecommit:DisassociateApprovalRuleTemplateFromRepository", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get*", "codecommit:List*", "codecommit:Merge*", "codecommit:OverridePullRequestApprovalRules", "codecommit:Put*", "codecommit:Post*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*", "codecommit:GitPull", "codecommit:GitPush" ], "Resource": "*" }, { "Sid": "CloudWatchEventsCodeCommitRulesAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/codecommit*" }, { "Sid": "SNSTopicAndSubscriptionAccess", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:Unsubscribe" ], "Resource": "arn:aws:sns:*:*:codecommit*" }, { "Sid": "SNSTopicAndSubscriptionReadAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "LambdaReadOnlyListAccess", "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Sid": "IAMReadOnlyListAccess", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "*" }, { "Sid": "IAMReadOnlyConsoleAccess", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMUserSSHKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMSelfManageServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "ArnLike": { "codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" }, { "Sid": "CodeStarConnectionsReadOnlyAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" } ] } ``` ------ ## AWS managed policy: AWSCodeCommitReadOnly You can attach the `AWSCodeCommitReadOnly` policy to your IAM identities. This policy grants read-only access to CodeCommit and repository-related resources in other AWS services, as well as the ability to create and manage their own CodeCommit-related resources (such as Git credentials and SSH keys for their IAM user to use when accessing repositories). Apply this policy to users to whom you want to grant the ability to read the contents of a repository, but not make any changes to its contents. The AWSCodeCommitReadOnly policy contains the following policy statement: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "codecommit:BatchGet*", "codecommit:BatchDescribe*", "codecommit:Describe*", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get*", "codecommit:List*", "codecommit:GitPull" ], "Resource":"*" }, { "Sid":"CloudWatchEventsCodeCommitRulesReadOnlyAccess", "Effect":"Allow", "Action":[ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource":"arn:aws:events:*:*:rule/codecommit*" }, { "Sid":"SNSSubscriptionAccess", "Effect":"Allow", "Action":[ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource":"*" }, { "Sid":"LambdaReadOnlyListAccess", "Effect":"Allow", "Action":[ "lambda:ListFunctions" ], "Resource":"*" }, { "Sid":"IAMReadOnlyListAccess", "Effect":"Allow", "Action":[ "iam:ListUsers" ], "Resource":"*" }, { "Sid":"IAMReadOnlyConsoleAccess", "Effect":"Allow", "Action":[ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials", "iam:GetSSHPublicKey" ], "Resource":"arn:aws:iam::*:user/${aws:username}" }, { "Sid":"CodeStarNotificationsReadOnlyAccess", "Effect":"Allow", "Action":[ "codestar-notifications:DescribeNotificationRule" ], "Resource":"*", "Condition":{ "ArnLike":{ "codestar-notifications:NotificationsForResource":"arn:aws:codecommit:us-east-2:111122223333:*" } } }, { "Sid":"CodeStarNotificationsListAccess", "Effect":"Allow", "Action":[ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource":"*" }, { "Sid": "AmazonCodeGuruReviewerReadOnlyAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "CodeStarConnectionsReadOnlyAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" } ] } ``` ------ ## CodeCommit managed policies and notifications AWS CodeCommit supports notifications, which can notify users of important changes to repositories. Managed policies for CodeCommit include policy statements for notification functionality. For more information, see [What are notifications?](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/welcome.html). ### Permissions related to notifications in full access managed policies The `AWSCodeCommitFullAccess` managed policy includes the following statements to allow full access to notifications. Users with this managed policy applied can also create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users to topics, list topics to choose as targets for notification rules, and list Amazon Q Developer in chat applications clients configured for Slack. ``` { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource," "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" } ``` ### Permissions related to notifications in read-only managed policies The `AWSCodeCommitReadOnlyAccess` managed policy includes the following statements to allow read-only access to notifications. Users with this managed policy applied can view notifications for resources, but cannot create, manage, or subscribe to them. ``` { "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" } ``` ### Permissions related to notifications in other managed policies The `AWSCodeCommitPowerUser` managed policy includes the following statements to allow users to create, edit, and subscribe to notifications. Users cannot delete notification rules or manage tags for resources. ``` { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" } ``` For more information about IAM and notifications, see [Identity and Access Management for AWS CodeStar Notifications](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security-iam.html). ## AWS CodeCommit managed policies and Amazon CodeGuru Reviewer CodeCommit supports Amazon CodeGuru Reviewer, an automated code review service that uses program analysis and machine learning to detect common issues and recommend fixes in your Java or Python code. Managed policies for CodeCommit include policy statements for CodeGuru Reviewer functionality. For more information, see [What Is Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/welcome.html). ### Permissions related to CodeGuru Reviewer in AWSCodeCommitFullAccess The `AWSCodeCommitFullAccess` managed policy includes the following statements to allow CodeGuru Reviewer to be associated and disassociated with CodeCommit repositories. Users with this managed policy applied can also view the association status between CodeCommit repositories and CodeGuru Reviewer and view the status of review jobs for pull requests. ``` { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } } ``` ### Permissions related to CodeGuru Reviewer in AWSCodeCommitPowerUser The `AWSCodeCommitPowerUser` managed policy includes the following statements to allow users to associate and disassociate repositories with CodeGuru Reviewer, view association status, and view the status of review jobs for pull requests. ``` { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } } ``` ### Permissions related to CodeGuru Reviewer in AWSCodeCommitReadOnly The `AWSCodeCommitReadOnlyAccess` managed policy includes the following statements to allow read-only access to CodeGuru Reviewer association status and view the status of review jobs for pull requests. Users with this managed policy applied cannot associate or disassociate repositories. ``` { "Sid": "AmazonCodeGuruReviewerReadOnlyAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" } ``` ### Amazon CodeGuru Reviewer service-linked role When you associate a repository with CodeGuru Reviewer, a service-linked role is created so that CodeGuru Reviewer can detect issues and recommend fixes for Java or Python code in pull requests. The service-linked role is named AWSServiceRoleForAmazonCodeGuruReviewer. For more information, see [Using Service-Linked Roles for Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/using-service-linked-roles.html). For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## CodeCommit updates to AWS managed policies Policy updates View details about updates to AWS managed policies for CodeCommit since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on [AWS CodeCommit User Guide document history](history.md). | Change | Description | Date | | --- | --- | --- | | [AWS managed policy: AWSCodeCommitFullAccess](#managed-policies-full) and [AWS managed policy: AWSCodeCommitPowerUser](#managed-policies-poweruser) – Update to existing policies | CodeCommit added a permission to these policies to support an additional notification type using Amazon Q Developer in chat applications. The AWSCodeCommitPowerUser and AWSCodeCommitFullAccess policies have been changed to add a permission, `chatbot:ListMicrosoftTeamsChannelConfigurations`. | May 16, 2023 | | [AWS managed policy: AWSCodeCommitReadOnly](#managed-policies-read) – Update to an existing policy | CodeCommit removed a duplicate permission from the policy. The AWSCodeCommitReadOnly has been changed to remove a duplicate permission, `"iam:ListAccessKeys"`. | August 18, 2021 | | CodeCommit started tracking changes | CodeCommit started tracking changes for its AWS managed policies. | August 18, 2021 | # Customer managed policy examples You can create your own custom IAM policies to allow permissions for CodeCommit actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. You can also create your own custom IAM policies for integration between CodeCommit and other AWS services. **Topics** + [ ## Customer managed identity policy examples ](#customer-managed-policies-identity) ## Customer managed identity policy examples The following example IAM policies grant permissions for various CodeCommit actions. Use them to limit CodeCommit access for your IAM users and roles. These policies control the ability to perform actions with the CodeCommit console, API, AWS SDKs, or the AWS CLI. **Note** All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs. **Examples** + [Example 1: Allow a user to perform CodeCommit operations in a single AWS Region](#identity-based-policies-example-1) + [Example 2: Allow a user to use Git for a single repository](#identity-based-policies-example-2) + [Example 3: Allow a user connecting from a specified IP address range access to a repository](#identity-based-policies-example-3) + [Example 4: Deny or allow actions on branches](#identity-based-policies-example-4) + [Example 5: Deny or allow actions on repositories with tags](#identity-based-policies-example-5) ### Example 1: Allow a user to perform CodeCommit operations in a single AWS Region The following permissions policy uses a wildcard character (`"codecommit:*"`) to allow users to perform all CodeCommit actions in the us-east-2 Region and not from other AWS Regions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codecommit:*", "Resource": "arn:aws:codecommit:us-east-2:111111111111:*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-2" } } }, { "Effect": "Allow", "Action": "codecommit:ListRepositories", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-2" } } } ] } ``` ------ ### Example 2: Allow a user to use Git for a single repository In CodeCommit, the `GitPull` IAM policy permissions apply to any Git client command where data is retrieved from CodeCommit, including **git fetch**, **git clone**, and so on. Similarly, the `GitPush` IAM policy permissions apply to any Git client command where data is sent to CodeCommit. For example, if the `GitPush` IAM policy permission is set to `Allow`, a user can push the deletion of a branch using the Git protocol. That push is unaffected by any permissions applied to the `DeleteBranch` operation for that IAM user. The `DeleteBranch` permission applies to actions performed with the console, the AWS CLI, the SDKs, and the API, but not the Git protocol. The following example allows the specified user to pull from, and push to, the CodeCommit repository named `MyDemoRepo`: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource" : "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo" } ] } ``` ------ ### Example 3: Allow a user connecting from a specified IP address range access to a repository You can create a policy that only allows users to connect to a CodeCommit repository if their IP address is within a certain IP address range. There are two equally valid approaches to this. You can create a `Deny` policy that disallows CodeCommit operations if the IP address for the user is not within a specific block, or you can create an `Allow` policy that allows CodeCommit operations if the IP address for the user is within a specific block. You can create a `Deny` policy that denies access to all users who are not within a certain IP range. For example, you could attach the AWSCodeCommitPowerUser managed policy and a customer-managed policy to all users who require access to your repository. The following example policy denies all CodeCommit permissions to users whose IP addresses are not within the specified IP address block of 203.0.113.0/16: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:*" ], "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] } ``` ------ The following example policy allows the specified user to access a CodeCommit repository named MyDemoRepo with the equivalent permissions of the AWSCodeCommitPowerUser managed policy only if their IP address is within the specified address block of 203.0.113.0/16: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:CreateBranch", "codecommit:CreateRepository", "codecommit:Get*", "codecommit:GitPull", "codecommit:GitPush", "codecommit:List*", "codecommit:Put*", "codecommit:Post*", "codecommit:Merge*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*" ], "Resource": "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo", "Condition": { "IpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] } ``` ------ ### Example 4: Deny or allow actions on branches You can create a policy that denies users permissions to actions you specify on one or more branches. Alternatively, you can create a policy that allows actions on one or more branches that they might not otherwise have in other branches of a repository. You can use these policies with the appropriate managed (predefined) policies. For more information, see [Limit pushes and merges to branches in AWS CodeCommit](how-to-conditional-branch.md). For example, you can create a `Deny` policy that denies users the ability to make changes to a branch named main, including deleting that branch, in a repository named *MyDemoRepo*. You can use this policy with the **AWSCodeCommitPowerUser** managed policy. Users with these two policies applied would be able to create and delete branches, create pull requests, and all other actions as allowed by **AWSCodeCommitPowerUser**, but they would not be able to push changes to the branch named *main*, add or edit a file in the *main* branch in the CodeCommit console, or merge branches or a pull request into the *main* branch. Because `Deny` is applied to `GitPush`, you must include a `Null` statement in the policy, to allow initial `GitPush` calls to be analyzed for validity when users make pushes from their local repos. **Tip** If you want to create a policy that applies to all branches named *main* in all repositories in your Amazon Web Services account, for `Resource`, specify an asterisk ( `*` ) instead of a repository ARN. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:GitPush", "codecommit:DeleteBranch", "codecommit:PutFile", "codecommit:Merge*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/main" ] }, "Null": { "codecommit:References": "false" } } } ] } ``` ------ The following example policy allows a user to make changes to a branch named main in all repositories in an Amazon Web Services account. It does not allow changes to any other branches. You might use this policy with the AWSCodeCommitReadOnly managed policy to allow automated pushes to the repository in the main branch. Because the Effect is `Allow`, this example policy would not work with managed policies such as AWSCodeCommitPowerUser. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPush", "codecommit:Merge*" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/main" ] } } } ] } ``` ------ ### Example 5: Deny or allow actions on repositories with tags You can create a policy that allows or denies actions on repositories based on the AWS tags associated with those repositories, and then apply those policies to the IAM groups you configure for managing IAM users. For example, you can create a policy that denies all CodeCommit actions on any repositories with the AWS tag key *Status* and the key value of *Secret*, and then apply that policy to the IAM group you created for general developers (*Developers*). You then need to make sure that the developers working on those tagged repositories are not members of that general *Developers* group, but belong instead to a different IAM group that does not have the restrictive policy applied (*SecretDevelopers*). The following example denies all CodeCommit actions on repositories tagged with the key *Status* and the key value of *Secret*: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:Associate*", "codecommit:Batch*", "codecommit:CancelUploadArchive", "codecommit:CreateBranch", "codecommit:CreateCommit", "codecommit:CreatePullRequest*", "codecommit:CreateRepository", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DeleteBranch", "codecommit:DeleteCommentContent", "codecommit:DeleteFile", "codecommit:DeletePullRequest*", "codecommit:DeleteRepository", "codecommit:Describe*", "codecommit:DisassociateApprovalRuleTemplateFromRepository", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:GetBlob", "codecommit:GetBranch", "codecommit:GetComment*", "codecommit:GetCommit", "codecommit:GetDifferences*", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetMerge*", "codecommit:GetObjectIdentifier", "codecommit:GetPullRequest*", "codecommit:GetReferences", "codecommit:GetRepository*", "codecommit:GetTree", "codecommit:GetUploadArchiveStatus", "codecommit:Git*", "codecommit:ListAssociatedApprovalRuleTemplatesForRepository", "codecommit:ListBranches", "codecommit:ListPullRequests", "codecommit:ListTagsForResource", "codecommit:Merge*", "codecommit:OverridePullRequestApprovalRules", "codecommit:Post*", "codecommit:Put*", "codecommit:TagResource", "codecommit:TestRepositoryTriggers", "codecommit:UntagResource", "codecommit:UpdateComment", "codecommit:UpdateDefaultBranch", "codecommit:UpdatePullRequest*", "codecommit:UpdateRepository*", "codecommit:UploadArchive" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Status": "Secret" } } } ] } ``` ------ You can further refine this strategy by specifying specific repositories, rather than all repositories, as resources. You can also create policies that allow CodeCommit actions on all repositories that are not tagged with specific tags. For example, the following policy allows the equivalent of **AWSCodeCommitPowerUser** permissions for CodeCommit actions, except that it only allows CodeCommit actions on repositories not tagged with the specified tags: **Note** This policy example only includes actions for CodeCommit. It does not include actions for other AWS services that are included in the **AWSCodeCommitPowerUser** managed policy. For more information, see .[AWS managed policy: AWSCodeCommitPowerUser](security-iam-awsmanpol.md#managed-policies-poweruser). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:Associate*", "codecommit:Batch*", "codecommit:CancelUploadArchive", "codecommit:CreateBranch", "codecommit:CreateCommit", "codecommit:CreatePullRequest*", "codecommit:CreateRepository", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DeleteBranch", "codecommit:DeleteCommentContent", "codecommit:DeleteFile", "codecommit:DeletePullRequest*", "codecommit:Describe*", "codecommit:DisassociateApprovalRuleTemplateFromRepository", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:GetBlob", "codecommit:GetBranch", "codecommit:GetComment*", "codecommit:GetCommit", "codecommit:GetDifferences*", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetMerge*", "codecommit:GetObjectIdentifier", "codecommit:GetPullRequest*", "codecommit:GetReferences", "codecommit:GetRepository*", "codecommit:GetTree", "codecommit:GetUploadArchiveStatus", "codecommit:Git*", "codecommit:ListAssociatedApprovalRuleTemplatesForRepository", "codecommit:ListBranches", "codecommit:ListPullRequests", "codecommit:ListTagsForResource", "codecommit:Merge*", "codecommit:OverridePullRequestApprovalRules", "codecommit:Post*", "codecommit:Put*", "codecommit:TagResource", "codecommit:TestRepositoryTriggers", "codecommit:UntagResource", "codecommit:UpdateComment", "codecommit:UpdateDefaultBranch", "codecommit:UpdatePullRequest*", "codecommit:UpdateRepository*", "codecommit:UploadArchive" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceTag/Status": "Secret", "aws:ResourceTag/Team": "Saanvi" } } }, { "Effect": "Allow", "Action": [ "codecommit:CreateApprovalRuleTemplate", "codecommit:GetApprovalRuleTemplate", "codecommit:ListApprovalRuleTemplates", "codecommit:ListRepositories", "codecommit:ListRepositoriesForApprovalRuleTemplate", "codecommit:UpdateApprovalRuleTemplateContent", "codecommit:UpdateApprovalRuleTemplateDescription", "codecommit:UpdateApprovalRuleTemplateName" ], "Resource": "*" } ] } ``` ------