# Identity-based policy examples
By default, IAM users and roles who have one of the managed policies for AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, or AWS CodePipeline applied have permissions to connections, notifications, and notification rules that align with the intent of those policies. For example, IAM users or roles that have one of the full access policies (**AWSCodeCommitFullAccess**, **AWSCodeBuildAdminAccess**, **AWSCodeDeployFullAccess**, or **AWSCodePipeline\$1FullAccess**) applied to them also have full access to notifications and notification rules created for the resources for those services.
Other IAM users and roles don't have permission to create or modify AWS CodeStar Notifications and AWS CodeConnections resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.
# Permissions and examples for AWS CodeStar Notifications
The following policy statements and examples can help you manage AWS CodeStar Notifications.
## Permissions related to notifications in full access managed policies
The **AWSCodeCommitFullAccess**, **AWSCodeBuildAdminAccess**, **AWSCodeDeployFullAccess**, and **AWSCodePipeline\$1FullAccess** managed policies include the following statements to allow full access to notifications in the Developer Tools console. Users with one of these managed policies applied can also create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users to topics, and list topics to choose as targets for notification rules.
**Note**
In the managed policy, the condition key `codestar-notifications:NotificationsForResource` will have a value specific to the resource type for the service. For example, in the full access policy for CodeCommit, the value is `arn:aws:codecommit:*`.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
## Permissions related to notifications in read-only managed policies
The **AWSCodeCommitReadOnlyAccess**, **AWSCodeBuildReadOnlyAccess**, **AWSCodeDeployReadOnlyAccess**, and **AWSCodePipeline\$1ReadOnlyAccess** managed policies include the following statements to allow read-only access to notifications. For example, they can view notifications for resources in the Developer Tools console, but cannot create, manage, or subscribe to them.
**Note**
In the managed policy, the condition key `codestar-notifications:NotificationsForResource` will have a value specific to the resource type for the service. For example, in the full access policy for CodeCommit, the value is `arn:aws:codecommit:*`.
```
{
"Sid": "CodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource": "*"
}
```
## Permissions related to notifications in other managed policies
The **AWSCodeCommitPowerUser**, **AWSCodeBuildDeveloperAccess**, and **AWSCodeBuildDeveloperAccess** managed policies include the following statements to allow developers with one of these managed policies applied to create, edit, and subscribe to notifications. They cannot delete notification rules or manage tags for resources.
**Note**
In the managed policy, the condition key `codestar-notifications:NotificationsForResource` will have a value specific to the resource type for the service. For example, in the full access policy for CodeCommit, the value is `arn:aws:codecommit:*`.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
## Example: An administrator-level policy for managing AWS CodeStar Notifications
In this example, you want to grant an IAM user in your AWS account full access to AWS CodeStar Notifications so that the user can review details of notification rules and list notification rules, targets, and event types. You also want to allow the user to add, update, and delete notification rules. This is a full access policy, equivalent to the notification permissions included as part of the **AWSCodeBuildAdminAccess**, **AWSCodeCommitFullAccess**, **AWSCodeDeployFullAccess**, and **AWSCodePipeline\$1FullAccess** managed policies. Like those managed policies, you should only attach this kind of policy statement to IAM users, groups, or roles that require full administrative access to notifications and notification rules across your AWS account.
**Note**
This policy contains allows `CreateNotificationRule`. Any user with this policy applied to their IAM user or role will be able to create notification rules for any and all resource types supported by AWS CodeStar Notifications in the AWS account, even if that user does not have access to those resources themselves. For example, a user with this policy could create a notification rule for a CodeCommit repository without having permissions to access CodeCommit itself.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSCodeStarNotificationsFullAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:ListNotificationRules",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe",
"codestar-notifications:DeleteTarget",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:TagResource",
"codestar-notifications:UntagResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A contributor-level policy for using AWS CodeStar Notifications
In this example, you want to grant access to the day-to-day usage of AWS CodeStar Notifications, such as creating and subscribing to notifications, but not to more destructive actions, such as deleting notification rules or targets. This is the equivalent to the access provided in the **AWSCodeBuildDeveloperAccess**, **AWSCodeDeployDeveloperAccess**, and **AWSCodeCommitPowerUser** managed policies.
**Note**
This policy contains allows `CreateNotificationRule`. Any user with this policy applied to their IAM user or role will be able to create notification rules for any and all resource types supported by AWS CodeStar Notifications in the AWS account, even if that user does not have access to those resources themselves. For example, a user with this policy could create a notification rule for a CodeCommit repository without having permissions to access CodeCommit itself.
```
{
"Version": "2012-10-17",
"Sid": "AWSCodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:ListNotificationRules",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource"
],
"Resource": "*"
}
]
}
```
## Example: A read-only-level policy for using AWS CodeStar Notifications
In this example, you want to grant an IAM user in your account read-only access to the notification rules, targets, and event types in your AWS account. This example shows how you might create a policy that allows viewing these items. This is the equivalent to the permissions included as part of the **AWSCodeBuildReadOnlyAccess**, **AWSCodeCommitReadOnly**, and **AWSCodePipeline\$1ReadOnlyAccess** managed policies.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "CodeNotificationforReadOnly",
"Statement": [
{
"Sid": "ReadsAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
}
]
}
```
------
# Permissions and examples for AWS CodeConnections
The following policy statements and examples can help you manage AWS CodeConnections.
For information about how to create an IAM identity-based policy using these example JSON policy documents, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
## Example: A policy for creating AWS CodeConnections with the CLI and viewing with the console
A role or user designated to use the AWS CLI or SDK to view, create, tag, or delete connections should have permissions limited to the following.
**Note**
You cannot complete a connection in the console with only the following permissions. You need to add the permissions in the next section.
To use the console to view a list of available connections, view tags, and use a connection, use the following policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConnectionsFullAccess",
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:DeleteConnection",
"codeconnections:UseConnection",
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:TagResource",
"codeconnections:ListTagsForResource",
"codeconnections:UntagResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A policy for creating AWS CodeConnections with the console
A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. `UseConnection` should also be added to use the connection in the console. Use the following policy to view, use, create, tag, or delete a connection in the console.
**Note**
Beginning July 1, 2024, the console creates connections with `codeconnections` in the resource ARN. Resources with both service prefixes will continue to display in the console.
**Note**
For resources created using the console, policy statement actions must include `codestar-connections` as the service prefix as shown in the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codestar-connections:CreateConnection",
"codestar-connections:DeleteConnection",
"codestar-connections:GetConnection",
"codestar-connections:ListConnections",
"codestar-connections:GetInstallationUrl",
"codestar-connections:GetIndividualAccessToken",
"codestar-connections:ListInstallationTargets",
"codestar-connections:StartOAuthHandshake",
"codestar-connections:UpdateConnectionInstallation",
"codestar-connections:UseConnection",
"codestar-connections:TagResource",
"codestar-connections:ListTagsForResource",
"codestar-connections:UntagResource"
],
"Resource": [
"*"
]
}
]
}
```
------
## Example: An administrator-level policy for managing AWS CodeConnections
In this example, you want to grant an IAM user in your AWS account full access to CodeConnections so that the user can add, update, and delete connections. This is a full access policy, equivalent to the **AWSCodePipeline\$1FullAccess** managed policy. Like that managed policy, you should only attach this kind of policy statement to IAM users, groups, or roles that require full administrative access to connections across your AWS account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConnectionsFullAccess",
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:DeleteConnection",
"codeconnections:UseConnection",
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:ListInstallationTargets",
"codeconnections:GetInstallationUrl",
"codeconnections:StartOAuthHandshake",
"codeconnections:UpdateConnectionInstallation",
"codeconnections:GetIndividualAccessToken",
"codeconnections:TagResource",
"codeconnections:ListTagsForResource",
"codeconnections:UntagResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A contributor-level policy for using AWS CodeConnections
In this example, you want to grant access to the day-to-day usage of CodeConnections, such as creating and viewing details of connections, but not to more destructive actions, such as deleting connections.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSCodeConnectionsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:UseConnection",
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:ListInstallationTargets",
"codeconnections:GetInstallationUrl",
"codeconnections:GetIndividualAccessToken",
"codeconnections:StartOAuthHandshake",
"codeconnections:UpdateConnectionInstallation",
"codeconnections:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A read-only-level policy for using AWS CodeConnections
In this example, you want to grant an IAM user in your account read-only access to the connections in your AWS account. This example shows how you might create a policy that allows viewing these items.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "ConnectionsforReadOnly",
"Statement": [
{
"Sid": "ReadsAPIAccess",
"Effect": "Allow",
"Action": [
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:ListInstallationTargets",
"codeconnections:GetInstallationUrl",
"codeconnections:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## Example: Limit host VPC permissions using the **VpcId** context key
In the following example, the customer can use the **VpcId** context key to limit creation or management of hosts to hosts with specified VPC.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codeconnections:CreateHost",
"codeconnections:UpdateHost"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"codeconnections:VpcId": "vpc-EXAMPLE"
}
}
}
]
}
```
------