Amazon CodeCatalyst will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For more information, see [Migrating from Amazon CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/migration.html).
# Administering connected accounts
To access resources in AWS related to your projects in CodeCatalyst, you must connect an AWS account to your space. The connected account can also be used as the billing account for the space if you choose to use a paid tier.
To do so, you must set up a connection between the AWS accounts and your space in CodeCatalyst. Creating a connection like this means that projects and workflows within your CodeCatalyst space can interact with resources in your AWS accounts. You must create one connection for each AWS account you want to use with your CodeCatalyst space.
After you create a connection, you can choose to associate AWS IAM roles with it.
Here is one possible flow for adding an AWS account in CodeCatalyst:
Li Juan has the Project administrator role in a CodeCatalyst project with a workflow that builds and deploys the application to AWS infrastructure in the cloud. To deploy to the AWS infrastructure, CodeCatalyst must use an authorized AWS account to access the AWS resources for the build action in the workflow. Li Juan works with Mary Major, who has the **Space administrator** role, and Mateo Jackson, who has AWS administrator permissions in the AWS account to create a connection between the space and the AWS account. Before creating the connection, Mateo Jackson creates an IAM role in that account called `codecatalyst-build-role` with the IAM permissions policy for the AWS Cloud Development Kit (AWS CDK) stack he wants to use to build the application in the AWS account.
As the next step, Mary Major edits the CodeCatalyst space settings, completes an authorization flow with Mateo Jackson, and adds the AWS account and role to the list of AWS accounts and roles available for the CodeCatalyst space. Li Juan uses the CodeCatalyst environments page to add the account and role to the environment for his CodeCatalyst project. Li Juan also adds the role Amazon Resource Name (ARN) to the `Role` field for the CodeCatalyst workflow YAML.
For steps for managing accounts in the CodeCatalyst console, see [Account connections](https://docs.aws.amazon.com//codecatalyst/latest/userguide/ipa-connect-account.html) in the CodeCatalyst User Guide.
**Topics**
+ [Adding an account connection for a space (in AWS)](#w2aac29c21)
+ [Removing an account from a space (in AWS)](managing-accounts-remove.md)
+ [Tagging account connections](managing-accounts-tag.md)
+ [Enabling or disabling project-restricted account connections](managing-accounts-restriction.md)
## Adding an account connection for a space (in AWS)
For steps for managing accounts in the CodeCatalyst console, see [Account connections](https://docs.aws.amazon.com//codecatalyst/latest/userguide/ipa-connect-account.html) in the CodeCatalyst User Guide.
For a space that supports AWS Builder ID users, the space requires that you specify a connected account to the be the billing account for the space. For a space that supports identity federation, the space billing account will default to the management account associated with the organization in AWS Organizations.
# Removing an account from a space (in AWS)
You can use the page for CodeCatalyst in AWS to remove an account that has been added to a space. For this procedure, using administrative permissions for the specific account you are managing, you sign in the Amazon CodeCatalyst Spaces page in the AWS Management Console to remove an AWS account from your space. To remove an account that is a designated billing account for your CodeCatalyst space, make sure to first specify a new billing account.
An account that has been removed can be added again later, but you must create a new connection between the account and the space. You will need to re-associate any IAM roles to the added account.
A billing account must be designated for your CodeCatalyst space, even if usage for the space will not exceed the Free tier. Before you can remove a space for an account that is a designated billing account, you will need to add another account for your space.
**Important**
While you can use these steps to remove an account, this is not recommended as the AWS Management Console doesn't show whether your account is connected to workflows in your space. Any existing workflows connected to this account won't work after the account is removed and must be configured again with another connected account from the CodeCatalyst console.
You must have the **Space administrator** or **Power user** role to manage account connections for your space.
**To remove an added account**
1. In the AWS Management Console, make sure you are logged in with the same account that you want to manage.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **Billing**.
1. View the billing account information on the page to make sure the account you want to remove is not the designated billing account for the space.
1. Choose **Manage billing in AWS**. This opens the Amazon CodeCatalyst Spaces in the AWS Management Console. If you're prompted to log in, log in to AWS, and then choose the button again to load the page.
1. On the **Amazon CodeCatalyst Spaces** page, choose the space with the account that you want to remove. The details page for the space displays.
1. Choose **Remove space**.
1. In **Remove CodeCatalyst space from this account**, enter the space name to confirm. Choose **Remove**.
# Tagging account connections
Connections are represented by a connection resource Amazon Resource Name (ARN) that is unique to the connection between a specific AWS account and a specific space in CodeCatalyst.
Using tags, you can organize and control access to your resources with tag-based IAM policies.
**Topics**
+ [Adding tags to account connections](#managing-accounts-tag-add)
+ [Editing tags of account connections](#managing-accounts-tag-edit)
+ [Removing tags from account connections](#managing-accounts-tag-remove)
## Adding tags to account connections
Use these steps to create and apply tags to an account connection.
**To add a tag**
1. Make sure you're signed in to the AWS Management Console with the AWS account for the account connection you want to manage.
1. If the **Details** page doesn't display, choose **Spaces**. From the list under **Amazon CodeCatalyst space**, choose the space that corresponds with the account connection you want to tag.
The **Amazon CodeCatalyst space details** page displays.
1. Choose **Manage tags**. The **Manage tags** page displays.
1. Choose **Add tag**. Add a tag by entering a key and a value for the key-value pair.
1. Choose **Save changes**.
## Editing tags of account connections
Use these steps to create and apply tags for your account connection resources.
**To edit a tag**
1. Make sure you're signed in to the AWS Management Console with the AWS account for the account connection you want to manage.
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. If the **Details** page doesn't display, from the side navigation, choose **Spaces**. From the list under **Amazon CodeCatalyst space**, choose the space that corresponds with the account connection you want to tag.
The **Amazon CodeCatalyst space details** page displays.
1. Choose **Manage tags**. The **Manage tags** page displays.
1. In the row for the tag you want to edit, change the key pair value by editing the key, the value, or both.
1. Choose **Save changes**.
## Removing tags from account connections
Use these steps to remove tags for an account connection.
**To remove a tag**
1. Make sure you're signed in to the AWS Management Console with the AWS account for the account connection you want to manage.
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. If the **Details** page doesn't display, from the side navigation, choose **Spaces**. From the list under **Amazon CodeCatalyst space**, choose the space that corresponds with the account connection you want to tag.
The **Amazon CodeCatalyst space details** page displays.
1. Choose **Manage tags**. The **Manage tags** page displays.
1. For each tag you want to remove, choose **Remove** on the row for that tag. You can remove multiple tags.
1. Choose **Save changes**.
# Enabling or disabling project-restricted account connections
The default in CodeCatalyst is to add an AWS account connection to your space that is then made immediately available for all projects and resources in the space. You can configure account connections so that they are restricted to a specified set of projects. This allows you to restrict which projects have access to connected AWS accounts. The access can be restricted for account connections to workflows and VPC connections.
Connections are represented by a connection resource Amazon Resource Name (ARN) that is unique to the connection between a specific AWS account and a specific space in CodeCatalyst. The connection can be specified as restricted. The account connection will not be available for workflows or default VPCs in CodeCatalyst.
## Considerations for project-restricted account connections
The following considerations apply to project-restricted account connections.
+ You must have the **Space administrator** or **Power user** role to configure account connections for restriction.
**Note**
With the **Power user** role, you can enable or disable project restrictions for an account, but you can only configure access for projects where you are a member.
+ Any other projects that are using the account, such as workflows in a separate project, will no longer be able to use the account. Make sure to update any projects using the restricted account with an account that is not restricted.
+ After specifying an account as enabled for restriction, you must explicity enable the project or projects that will have access.
+ If you create a new project with an account connection that is enabled for project restriction, you will not be able to add the account connection to the new project's workflows until the project is enabled for the restricted account.
## Enabling project-restricted account connections
Use these steps to enable an account for project restrictions and to specify projects where access is enabled.
**To enable project-restricted account connections**
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
The **Accounts** page displays.
1. Choose the account that you want to restrict for your space. Workflows in projects and VPC connections for the space will not have access to the restricted accounts available and their roles. Choose **Enable project restrictions**.
**Note**
Only specified projects will be able to access the account connection.
1. Choose the project or projects where you want to enable access, and then choose **Enable**. The account connection is now restricted to the selected projects.
## Disabling project-restricted account connections
Use these steps to remove project restrictions for a connected account.
**To disable project-restricted account connections**
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **Account connections**.
The **Accounts** page displays.
1. Choose the project where you want to disable access, and then choose **Disable**.
1. To completely disable project restrictions, choose **Disable project restrictions**.
**Note**
Other projects will be able to access the account connection.