As of November 7, 2025, you can't create new repository associations in Amazon CodeGuru Reviewer. To learn about services with capabilities similar to CodeGuru Reviewer, see [Amazon CodeGuru Reviewer availability change](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/codeguru-reviewer-availability-change.html). # Identity and access management in CodeGuru Reviewer Identity and access management AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use CodeGuru Reviewer resources. IAM is an AWS service that you can use with no additional charge. **Topics** + [ ## Audience ](#security_iam_audience) + [ ## Authenticating with identities ](#security_iam_authentication) + [ ## Managing access using policies ](#security_iam_access-manage) + [ # Overview of managing access permissions to your CodeGuru Reviewer resources ](security_iam_service-with-iam.md) + [ # Using identity-based policies for CodeGuru Reviewer ](auth-and-access-control-iam-identity-based-access-control.md) + [ # Using tags to control access to Amazon CodeGuru Reviewer associated repositories ](auth-and-access-control-using-tags.md) + [ # Amazon CodeGuru Reviewer permissions reference ](auth-and-access-control-permissions-reference.md) + [ # Troubleshooting CodeGuru Reviewer identity and access ](security_iam_troubleshoot.md) ## Audience How you use AWS Identity and Access Management (IAM) differs based on your role: + **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting CodeGuru Reviewer identity and access](security_iam_troubleshoot.md)) + **Service administrator** - determine user access and submit permission requests (see [Overview of managing access permissions to your CodeGuru Reviewer resources](security_iam_service-with-iam.md)) + **IAM administrator** - write policies to manage access (see [Customer managed policy examples](auth-and-access-control-iam-identity-based-access-control.md#security_iam_id-based-policy-examples)) ## Authenticating with identities Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role. You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*. For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*. ### AWS account root user When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ### Federated identity As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials. A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials. For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*. ### IAM users and groups An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ### IAM roles An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. ## Managing access using policies You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ### Identity-based policies Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*. ### Resource-based policies Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy. ### Other policy types AWS supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ### Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. # Overview of managing access permissions to your CodeGuru Reviewer resources Overview of managing access Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). **Note** An account administrator (or administrator user) is a user with administrator privileges. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. When you grant permissions, you decide who is getting the permissions, the resources they can access, and the actions that can be performed on those resources. **Topics** + [ ## CodeGuru Reviewer resources and operations ](#arn-formats) + [ ## Understanding resource ownership ](#understanding-resource-ownership) + [ ## Managing access to resources ](#managing-access-resources) + [ ## Specifying policy elements: actions, effects, and principals ](#actions-effects-principals) ## CodeGuru Reviewer resources and operations Resources and operations In Amazon CodeGuru Reviewer, the primary resources are repository associations and code reviews. In a policy, you use an Amazon Resource Name (ARN) to identify the resource the policy applies to. In the following ARNs, the repository association ID and the code review ID are universally unique identifiers (UUIDs). For more information, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *Amazon Web Services General Reference*. | Resource type | ARN format | | --- | --- | | [Repository association](https://docs.aws.amazon.com/codeguru/latest/reviewer-api/API_RepositoryAssociation.html) | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | [Code review](https://docs.aws.amazon.com/codeguru/latest/reviewer-api/API_CodeReview.html) | `arn:aws:codeguru-reviewer:region-ID:account-ID:code-review:code-review-uuid` | For example, you can indicate a specific repository association with id *my-repository-association-id* in your statement using its ARN, as follows. ``` "Resource": "arn:aws:codeguru-reviewer:us-east-2:123456789012:association:my-repository-association-id" ``` To specify all resources, or if an API action does not support ARNs, use the wildcard character (\$1) in the `Resource` element, as follows. ``` "Resource": "*" ``` To specify multiple resources in a single statement, separate their ARNs with commas, as follows. ``` "Resource": [ "arn:aws:codeguru-reviewer:us-east-2:123456789012:association:my-repository-association-id-1", "arn:aws:codeguru-reviewer:us-east-2:123456789012:association:my-repository-association-id-2" ] ``` CodeGuru Reviewer provides a set of operations to work with the CodeGuru Reviewer resources. For a list, see [Amazon CodeGuru Reviewer permissions reference](auth-and-access-control-permissions-reference.md). ## Understanding resource ownership The AWS account owns the resources that are created in it, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the root account, user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works: + If you use the root account credentials of your AWS account to create a rule, your AWS account is the owner of the CodeGuru Reviewer resource. + If you grant permissions to create CodeGuru Reviewer resources to a user, the user can create CodeGuru Reviewer resources. However, your AWS account, to which the user belongs, owns the CodeGuru Reviewer resources. + If you create an IAM role in your AWS account with permissions to create CodeGuru Reviewer resources, anyone who can assume the role can create CodeGuru Reviewer resources. Your AWS account, to which the role belongs, owns the CodeGuru Reviewer resources. ## Managing access to resources A permissions policy describes who has access to which resources. **Note** This section discusses the use of IAM in CodeGuru Reviewer. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. Policies attached to an IAM identity are referred to as* identity-based policies* (IAM policies). Policies attached to a resource are referred to as *resource-based policies*. CodeGuru Reviewer supports identity-based (IAM policies) only. ### Identity-based policies You can attach policies to IAM identities. To grant a user permissions to view repository associations and code reviews in the CodeGuru Reviewer console, you can attach a permissions policy to a role that the user has. For IAM best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. In CodeGuru Reviewer, identity-based policies are used to manage permissions to the resources related to associated repositories and code reviews. For example, you can control access to code reviews. You can create IAM policies to restrict the calls and resources that users in your account have access to, and then attach those policies to IAM roles that users can use. For more information about how to create IAM roles and to explore example IAM policy statements for CodeGuru Reviewer, see [Customer managed policy examples](auth-and-access-control-iam-identity-based-access-control.md#security_iam_id-based-policy-examples). ## Specifying policy elements: actions, effects, and principals For each CodeGuru Reviewer resource, the service defines a set of API operations. To grant permissions for these API operations, CodeGuru Reviewer defines a set of actions that you can specify in a policy. Some API operations can require permissions for more than one action to perform the API operation. For more information, see [CodeGuru Reviewer resources and operations](#arn-formats) and [Amazon CodeGuru Reviewer permissions reference](auth-and-access-control-permissions-reference.md). The following are the basic policy elements: + **Resource** – You use an ARN to identify the resource that the policy applies to. + **Action** – You use action keywords to identify resource operations to allow or deny. For example, the `codeguru-reviewer:DisassociateRepository` permission gives the user permissions to perform the `[DisassociateRepository](https://docs.aws.amazon.com/codeguru/latest/reviewer-api/API_DisassociateRepository.html)` operation. + **Effect** – You specify the effect, either allow or deny, when the user requests the action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure that a user cannot access a resource, even if a different policy grants access. + **Principal** – In identity-based policies (IAM policies), the user the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions. To learn more about IAM policy syntax and descriptions, see [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*. For a table showing all of the CodeGuru Reviewer API actions and the resources they apply to, see [Amazon CodeGuru Reviewer permissions reference](auth-and-access-control-permissions-reference.md). # Using identity-based policies for CodeGuru Reviewer Using identity-based policies By default, users and IAM roles don't have permission to create or modify Amazon CodeGuru Reviewer resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the roles or groups that require those permissions. To learn how to attach policies to an IAM role or group, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *IAM User Guide*. To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. **Topics** + [ ## Policy best practices ](#security_iam_service-with-iam-policy-best-practices) + [ ## Permissions required to use the CodeGuru Reviewer console ](#console-permissions) + [ ## AWS managed (predefined) policies for CodeGuru Reviewer ](#managed-policies) + [ ## CodeGuru Reviewer updates to AWS managed policies ](#security-iam-awsmanpol-updates) + [ ## Customer managed policy examples ](#security_iam_id-based-policy-examples) ## Policy best practices Identity-based policies determine whether someone can create, access, or delete CodeGuru Reviewer resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Permissions required to use the CodeGuru Reviewer console A user who uses the CodeGuru Reviewer console must have a minimum set of permissions that allows the user to describe other AWS resources for the AWS account. You must have permissions from the following services: + CodeGuru Reviewer + AWS CodeCommit (if your source code is in a CodeCommit repository) + CodeConnections (if your source code is in a repository managed by CodeConnections, such as Bitbucket) + AWS Identity and Access Management (IAM) If your source code is in a GitHub repository, you must have an OAuth token to connect to it. Associated GitHub repositories are not managed by CodeConnections. For more information, see [Git automation with OAuth tokens](https://help.github.com/en/github/extending-github/git-automation-with-oauth-tokens#step-1-get-an-oauth-token) on the GitHub website. If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended. The following shows an example of a permissions policy that allows a user to get information about a repository association only in the `us-east-2` Region for account `123456789012` for any repository association with a universally unique identifier (UUID) that starts with `12345`. ## AWS managed (predefined) policies for CodeGuru Reviewer AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. To create and manage CodeGuru Reviewer service roles, you must also attach the AWS managed policy named `IAMFullAccess`. You can also create your own custom IAM policies to allow permissions for CodeGuru Reviewer actions and resources. You can attach these custom policies to the roles or groups that require those permissions. The following AWS managed policies, which you can attach to users in your account, are specific to CodeGuru Reviewer. **Topics** + [ ### AmazonCodeGuruReviewerFullAccess ](#managed-full-access) + [ ### AmazonCodeGuruReviewerReadOnlyAccess ](#managed-read-only-access) + [ ### AmazonCodeGuruReviewerServiceRolePolicy ](#managed-policy-for-codecommit-and-codestar-connections) ### AmazonCodeGuruReviewerFullAccess `AmazonCodeGuruReviewerFullAccess` – Provides full access to CodeGuru Reviewer, including permissions to tag repository associations and to create, update, and delete code reviews and repository associations. It also grants permission to related resources in other services that integrate with CodeGuru Reviewer, such as Amazon CloudWatch, CodeConnections, and CodeCommit. Apply this only to administrative-level users to who you want to grant full control over CodeGuru Reviewer repository associations, code reviews, and related resources in your AWS account, including the ability to delete code reviews and repository associations. The `AmazonCodeGuruReviewerFullAccess` policy contains the following statement. ### AmazonCodeGuruReviewerReadOnlyAccess `AmazonCodeGuruReviewerReadOnlyAccess` – Grants read-only access to CodeGuru Reviewer and related resources in other AWS services. Apply this policy to users who you want to grant the ability to view code reviews, but not to create or make any changes to them. The `AmazonCodeGuruReviewerReadOnlyAccess` policy contains the following statement. ### AmazonCodeGuruReviewerServiceRolePolicy `AmazonCodeGuruReviewerServiceRolePolicy` – Grants permission to related resources in CodeCommit, CodeConnections, Amazon S3, and CloudWatch that are required to create repository associations. For CodeCommit repository associations, the CodeCommit and CloudWatch permissions in this policy are required. For associations with repositories that are managed by an AWS CodeStar connection, such as Bitbucket, the CodeConnections permissions are required. For code reviews with security analysis, the Amazon S3 permissions are required. When you create your first association with a CodeCommit, Amazon S3, or CodeConnections managed repository, CodeGuru Reviewer adds the `AmazonCodeGuruReviewerServiceRolePolicy` policy to your AWS account. This policy grants CodeGuru Reviewer access to CodeCommit repositories, CodeConnections resources in your account that have an `aws:ResourceTag/codeguru-reviewer` tag. It also grants access to Amazon S3 buckets that have a prefix that begins with `codeguru-reviewer-`. When you associate a CodeCommit repository, CodeGuru Reviewer adds this tag to the repository. When you associate an CodeConnections managed repository, CodeGuru Reviewer adds this tag to the CodeConnections resource, if it doesn't already exist. The `AmazonCodeGuruReviewerServiceRolePolicy` policy contains the following statement. ## CodeGuru Reviewer updates to AWS managed policies Policy updates View details about updates to AWS managed policies for CodeGuru Reviewer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CodeGuru Reviewer [Amazon CodeGuru Reviewer User Guide document history](doc-history.md). | Change | Description | Date | | --- | --- | --- | | [AmazonCodeGuruReviewerServiceRolePolicy](#managed-policy-for-codecommit-and-codestar-connections) – Update to an existing policy | CodeGuru Reviewer added new permissions to allow access to the `CreateBucket`, `ListBucket`, `PutBucketPolicy`, and `PutLifecycleConfiguration` actions on an Amazon S3 bucket resource. | April 28, 2021 | | CodeGuru Reviewer started tracking changes | CodeGuru Reviewer started tracking changes for its AWS managed policies. | July 2, 2020 | ## Customer managed policy examples You can create your own custom IAM policies to allow permissions for CodeGuru Reviewer actions and resources. You can attach these custom policies to the roles or groups that require those permissions. You can also create your own custom IAM policies for integration between CodeGuru Reviewer and other AWS services. The following example IAM policies grant permissions for various CodeGuru Reviewer actions. Use them to limit CodeGuru Reviewer access for your users and roles. These policies control the ability to perform actions with the CodeGuru Reviewer console, API, AWS SDKs, or the AWS CLI. **Note** All examples use the US East (Ohio) Region (us-east-2) and contain fictitious account IDs. **Examples** + [Example 1: Allow a user to see all recommendations created in an associated repository](#identity-based-policies-example-1) + [Example 2: Allow a user to view code reviews in an associated repository in a single Region](#identity-based-policies-example-2) + [Example 3: Allow a user to perform CodeGuru Reviewer operations in a single Region](#identity-based-policies-example-3) + [Example 4: Allow read-only access to CodeGuru Reviewer operations for a user connecting from a specified IP address range](#identity-based-policies-example-4) ### Example 1: Allow a user to see all recommendations created in an associated repository The following example policy grants permissions for the AWS user with account ID `123456789012` to see a list of all recommendations in their AWS account and Region in the repository association with ID `association-uuid`. ### Example 2: Allow a user to view code reviews in an associated repository in a single Region The following shows an example of a permissions policy that allows a user with account ID `123456789012` to get information about code reviews in Region `us-east-2` in an associated repository with ID `association-uuid`. ### Example 3: Allow a user to perform CodeGuru Reviewer operations in a single Region The following permissions policy uses a wildcard character (`"codeguru-reviewer:*"`) to allow users to perform all CodeGuru Reviewer actions in the us-east-2 Region and not from other AWS Regions. ### Example 4: Allow read-only access to CodeGuru Reviewer operations for a user connecting from a specified IP address range You can create a policy that only allows users CodeGuru Reviewer read-only access if their IP address is within a certain IP address range. The following example grants read-only CodeGuru Reviewer permissions to users whose IP addresses are within the specified IP address block of 203.0.113.0/24. # Using tags to control access to Amazon CodeGuru Reviewer associated repositories Using tags to control access to associated repositories Conditions in IAM policy statements are part of the syntax that you can use to specify permissions to CodeGuru Reviewer associated repository-based actions. You can create a policy that allows or denies actions on associated repositories based on the tags associated with those associated repositories, and then apply those policies to the IAM groups you configure for managing users. For information about applying tags to an associated repository using the console or AWS CLI, see [Add a tag to a CodeGuru Reviewer associated repository](how-to-tag-associated-repositories-add.md). For information about applying tags using the CodeGuru Reviewer SDK, see [AssociateRepository](https://docs.aws.amazon.com/codeguru/latest/reviewer-api/API_AssociateRepository.html#API_AssociateRepository_RequestSyntax) in the *Amazon CodeGuru Reviewer API Reference*. For information about using tags to control access to AWS resources, see [Controlling Access to AWS Resources Using Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*. You can directly use tags on an associated repository to affect permissions on the following CodeGuru Reviewer API operations: + `AssociateRepository` + `DescribeRepositoryAssociation` + `DisassociateRepositoryAssociation` You can use tags on an associated repository to indirectly affect permissions on a code review that belongs to the associated repository. Use tags on an associated repository to affect permissions on the following CodeGuru Reviewer API operations that are related to code reviews: + `CreateCodeReview` + `ListRecommendations` + `DescribeCodeReview` **Example 1: Limit CodeGuru Reviewer associated repository actions based on request tags** The following policy denies users permission to the `DisassociateRepositoryAssociation` action if the request contains a tag with the key `ViewAssocatedRepositoryDetails` and the key value `DenyViewRepository`. In addition, the policy prevents these unauthorized users from disassociating repositories by using the `aws:TagKeys` condition key to not allow `DisassociationAllowed` if the request contains a tag with the key `DenyDisassociate`. An administrator must attach this IAM policy in addition to the managed user policy to users who are not authorized to perform these actions. The `aws:RequestTag` condition key is used to control which tags can be passed in an IAM request **Example 2: Deny or allow actions on code reviews based on their associated repository's resource tags** You can create a policy that allows or denies actions on CodeGuru Reviewer code reviews by using the CodeGuru Reviewer tags that are added to their associated repositories. An associated repository contains code reviews, and you can use tags on the associated repository to affect permissions on its code reviews. For example, you can create a policy that denies users the ability to view recommendations created by code reviews in an associated repository. The following policy denies a user with AWS account ID 123456789012 in the AWS Region us-west-2 from viewing recommendations created by code reviews in all associated repositories that have a `Recommendation` tag with a value of `Secret`. **Example 3: Limit all possible CodeGuru Reviewer actions to associated repositories based on resource tags** You can create policies that selectively allow CodeGuru Reviewer actions on all associated repositories that are not tagged with specific tags. For example, the following policy allows you to associate, disassociate, and view the details of associated repositories that are not tagged with the specified tags: # Amazon CodeGuru Reviewer permissions reference CodeGuru Reviewer permissions reference You can use AWS condition keys in your CodeGuru Reviewer policies to express conditions. For a list, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*. You specify the actions in the policy's `Action` field. To specify an action, use the `codeguru-reviewer:` prefix followed by the API operation name (for example, `codeguru-reviewer:AssociateRepository` and `codeguru-reviewer:DisassociateRepository`). To specify multiple actions in a single statement, separate them with commas (for example, `"Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DisassociateRepository" ]`). **Using wildcard characters** You specify an Amazon Resource Name (ARN), with or without a wildcard character (\$1), as the resource value in the policy's `Resource` field. You can use a wildcard to specify multiple actions or resources. For example, `codeguru-reviewer:*` specifies all CodeGuru Reviewer actions and `codeguru-reviewer:List*` specifies all CodeGuru Reviewer actions that begin with the word `List`. The following example refers to all repository associations with a universally unique identifier (UUID) that begins with `PullRequest-GITHUB`. ``` arn:aws:codeguru-reviewer:us-east-2:123456789012:association:PullRequest-GITHUB* ``` You can use the following table as a reference when you are setting up [Authenticating with identities](auth-and-access-control.md#security_iam_authentication) and writing permissions policies that you can attach to an IAM identity (identity-based policies). **CodeGuru Reviewer API operations and required permissions for actions** | CodeGuru Reviewer API operations | Required permissions (API actions) | Resources | | --- | --- | --- | | AssociateRepository | `codeguru-reviewer:AssociateRepository` Required to associate a repository with CodeGuru Reviewer. | `*` | | CreateCodeReview | `codeguru-reviewer:CreateCodeReview` Required to create a code review to analyze all code under a specified branch in an associated repository. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | DescribeCodeReview | `codeguru-reviewer:DescribeCodeReview` Required to view information about a code review, including its status. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | DescribeRecommendationFeedback | `codeguru-reviewer:DescribeRecommendationFeedback` Required to view customer feedback about a recommendation. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | DescribeRepositoryAssociation | `codeguru-reviewer:DescribeRepositoryAssociation` Required to view information about a repository association and its status details. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | DisassociateRepository | `codeguru-reviewer:DisassociateRepository` Required to remove the association between CodeGuru Reviewer and a repository. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | ListCodeReviews | `codeguru-reviewer:ListCodeReviews` Required to view the names of all code reviews in the current AWS account that were created in the past 90 days. | `*` | | ListRecommendationFeedback | `codeguru-reviewer:ListRecommendationFeedback` Required to list all users' customer feedback for a code review recommendation. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | ListRecommendations | `codeguru-reviewer:ListRecommendations` Required to view a list of all the recommendations for one completed code review. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | ListRepositoryAssociations | `codeguru-reviewer:ListRepositoryAssociations` Required to list summary information about repository associations. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | ListTagsForResource | `codeguru-reviewer:ListTagsForResource` Required to list tags associated with an associated repository ARN. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | PutRecommendationFeedback | `codeguru-reviewer:PutRecommendationFeedback` Required to store feedback for a code review recommendation. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | TagResource | `codeguru-reviewer:TagResource` Required for adding one or more tags to an associated repository. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | | UnTagResource | `codeguru-reviewer:UnTagResource` Required for removing a tag from an associated repository. | `arn:aws:codeguru-reviewer:region-ID:account-ID:association:repository-association-uuid` | # Troubleshooting CodeGuru Reviewer identity and access Troubleshooting Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon CodeGuru Reviewer and IAM. **Topics** + [ ## I am not authorized to perform an action in CodeGuru Reviewer ](#security_iam_troubleshoot-no-permissions) + [ ## I am not authorized to perform iam:PassRole ](#security_iam_troubleshoot-passrole) ## I am not authorized to perform an action in CodeGuru Reviewer If the AWS Management Console tells you that you're not authorized to perform an action, you must contact your administrator for assistance. The following example error occurs when the user `mateojackson` tries to use the console to view details about a code review, but does not have `codeguru-reviewer:DescribeCodeReview` permissions. ``` User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: codeguru-reviewer:DescribeCodeReview on resource: my-example-code-review ``` In this case, Mateo asks his administrator to update his policies to allow him to access the `my-example-code-review` resource using the `codeguru-reviewer:DescribeCodeReview` action. ## I am not authorized to perform iam:PassRole If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to CodeGuru Reviewer. Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service. The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in CodeGuru Reviewer. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service. ``` User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole ``` In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action. If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.