Identity and access management for AWS CodeStar Notifications and AWS CodeConnections

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS CodeStar Notifications and AWS CodeConnections resources. IAM is an AWS service that you can use with no additional charge.

Audience

How you use AWS Identity and Access Management (IAM) differs based on your role:

Authenticating with identities

Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.

You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see How to sign in to your AWS account in the AWS Sign-In User Guide.

For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see AWS Signature Version 4 for API requests in the IAM User Guide.

AWS account root user

When you create an AWS account, you begin with one sign-in identity called the AWS account root user that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see Tasks that require root user credentials in the IAM User Guide.

IAM users and groups

An IAM user is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see Require human users to use federation with an identity provider to access AWS using temporary credentials in the IAM User Guide.

An IAM group specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see Use cases for IAM users in the IAM User Guide.

IAM roles

An IAM role is an identity with specific permissions that provides temporary credentials. You can assume a role by switching from a user to an IAM role (console) or by calling an AWS CLI or AWS API operation. For more information, see Methods to assume a role in the IAM User Guide.

IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see Cross account resource access in IAM in the IAM User Guide.

Managing access using policies

You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see Overview of JSON policies in the IAM User Guide.

Using policies, administrators specify who has access to what by defining which principal can perform actions on what resources, and under what conditions.

By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.

Identity-based policies

Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Define custom IAM permissions with customer managed policies in the IAM User Guide.

Identity-based policies can be inline policies (embedded directly into a single identity) or managed policies (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see Choose between managed policies and inline policies in the IAM User Guide.

AWS CodeConnections permissions reference

The following tables list each AWS CodeConnections API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The AWS CodeConnections APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when writing permissions policies that you can attach to an IAM identity (identity-based policies).

When you create a permissions policy, you specify the actions in the policy's Action field. You specify the resource value in the policy's Resource field as an ARN, with or without a wildcard character (*).

To express conditions in your connections policies, use the condition keys described here and listed in Condition keys. You can also use AWS-wide condition keys. For a complete list of AWS-wide keys, see Available keys in the IAM User Guide.

To specify an action, use the codeconnections prefix followed by the API operation name (for example, codeconnections:ListConnections or codeconnections:CreateConnection.

Using wildcards

To specify multiple actions or resources, use a wildcard character (*) in your ARN. For example, codeconnections:* specifies all AWS CodeConnections actions and codeconnections:Get* specifies all AWS CodeConnections actions that begin with the word Get. The following example grants access to all resources with names that begin with MyConnection.

arn:aws:codeconnections:us-west-2:account-ID:connection/*

You can use wildcards only with the connection resources listed in the following table. You can't use wildcards with region or account-id resources. For more information about wildcards, see IAM identifiers in IAM User Guide.

Permissions for managing connections

A role or user designated to use the AWS CLI or SDK to view, create, or delete connections should have permissions limited to the following.

codeconnections:CreateConnection
codeconnections:DeleteConnection
codeconnections:GetConnection
codeconnections:ListConnections

Use the scroll bars to see the rest of the table.

These operations support the following condition keys:

Permissions for managing hosts

A role or user designated to use the AWS CLI or SDK to view, create, or delete hosts should have permissions limited to the following.

codeconnections:CreateHost
codeconnections:DeleteHost
codeconnections:GetHost
codeconnections:ListHosts

Use the scroll bars to see the rest of the table.

These operations support the following condition keys:

For an example policy that uses the VpcId condition key, see Example: Limit host VPC permissions using the VpcId context key .

Permissions for completing connections

A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. Use the following permissions in addition to the permissions above.

The following IAM operations are used by the console when performing a browser-based handshake. The ListInstallationTargets, GetInstallationUrl, StartOAuthHandshake, UpdateConnectionInstallation, and GetIndividualAccessToken are IAM policy permissions. They are not API actions.

codeconnections:GetIndividualAccessToken
codeconnections:GetInstallationUrl
codeconnections:ListInstallationTargets
codeconnections:StartOAuthHandshake
codeconnections:UpdateConnectionInstallation

Based on this, the following permissions are needed to use, create, update, or delete a connection in the console.

codeconnections:CreateConnection
codeconnections:DeleteConnection
codeconnections:GetConnection
codeconnections:ListConnections
codeconnections:UseConnection
codeconnections:ListInstallationTargets
codeconnections:GetInstallationUrl
codeconnections:StartOAuthHandshake
codeconnections:UpdateConnectionInstallation
codeconnections:GetIndividualAccessToken

Use the scroll bars to see the rest of the table.

These operations support the following condition keys.

Permissions for setting up hosts

A role or user designated to manage connections in the console should have the permissions required to set up a host in the console, which includes authorizing the handshake to the provider and installing the host app. Use the following permissions in addition to the permissions for hosts above.

The following IAM operations are used by the console when performing a browser-based host registration. RegisterAppCode and StartAppRegistrationHandshake are IAM policy permissions. They are not API actions.

codeconnections:RegisterAppCode
codeconnections:StartAppRegistrationHandshake

Based on this, the following permissions are needed to use, create, update, or delete a connection in the console that requires a host (such as installed provider types).

codeconnections:CreateConnection
codeconnections:DeleteConnection
codeconnections:GetConnection
codeconnections:ListConnections
codeconnections:UseConnection
codeconnections:ListInstallationTargets
codeconnections:GetInstallationUrl
codeconnections:StartOAuthHandshake
codeconnections:UpdateConnectionInstallation
codeconnections:GetIndividualAccessToken
codeconnections:RegisterAppCode
codeconnections:StartAppRegistrationHandshake

Use the scroll bars to see the rest of the table.

These operations support the following condition keys.

Passing a connection to a service

When a connection is passed to a service (for example, when a connection ARN is provided in a pipeline definition to create or update a pipeline) the user must have the codeconnections:PassConnection permission.

Use the scroll bars to see the rest of the table.

This operation also supports the following condition key:

Using a connection

When a service like CodePipeline uses a connection, the service role must have the codeconnections:UseConnection permission for a given connection.

To manage connections in the console, the user policy must have the codeconnections:UseConnection permission.

Use the scroll bars to see the rest of the table.

This operation also supports the following condition keys:

The required condition keys for some functionality might change over time. We recommend that you use codeconnections:UseConnection to control access to a connection unless your access control requirements require different permissions.

Supported access types for ProviderAction

When a connection is used by an AWS service, it results in API calls being made to your source code provider. For example, a service might list repositories for a Bitbucket connection by calling the https://api.bitbucket.org/2.0/repositories/username API.

The ProviderAction condition key allows you to restrict which APIs on a provider can be called. Because the API path might be generated dynamically, and the path varies from provider to provider, the ProviderAction value is mapped to an abstract action name rather than the URL of the API. This allows you to write policies that have the same effect regardless of the provider type for the connection.

The following are the access types that are granted for each of the supported ProviderAction values. The following are IAM policy permissions. They are not API actions.

Use the scroll bars to see the rest of the table.

Supported permissions for tagging connection resources

The following IAM operations are used when tagging connection resources.

codeconnections:ListTagsForResource
codeconnections:TagResource
codeconnections:UntagResource

Use the scroll bars to see the rest of the table.

Passing a connection to a repository link

When a repository-link is provided in a sync configuration, the user must have the codeconnections:PassRepository permission for the repository-link ARN/resource.

Use the scroll bars to see the rest of the table.

This operation also supports the following condition key:

Supported condition key for repository links

Operations for repository links and sync configuration resources are supported by the following condition key:

Supported permissions for connection sharing

The following IAM operations are used when sharing connections.

codeconnections:GetResourcePolicy

Use the scroll bars to see the rest of the table.

For more information on connection sharing, see Share connections with AWS accounts.

Using notifications and connections in the console

The notifications experience is built into the CodeBuild, CodeCommit, CodeDeploy, and CodePipeline consoles, as well as in the Developer Tools console in the Settings navigation bar itself. To access notifications in the consoles, you must either have one of the managed policies for those services applied, or you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS CodeStar Notifications and AWS CodeConnections resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy. For more information about granting access to AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, and AWS CodePipeline, including access to those consoles, see the following topics:

AWS CodeStar Notifications does not have any AWS managed policies. To provide access to notification functionality, you must either apply one of the managed policies for one of the services listed previously, or you must create policies with the level of permission you want to grant to users or entities, and then attach those policies to the users, groups, or roles that require those permissions. For more information and examples, see the following:

AWS CodeConnections does not have any AWS managed policies. You use the permissions and combinations of permissions for access, such as the permissions detailed in Permissions for completing connections.

For more information, see the following:

You don't need to allow console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.

Allow users to view their own permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ViewOwnUserInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:GetUser"
            ],
            "Resource": ["arn:aws:iam::*:user/${aws:username}"]
        },
        {
            "Sid": "NavigateInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:GetGroupPolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListPolicyVersions",
                "iam:ListPolicies",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}