AWS CodeCommit 现已不再向新客户提供。AWS CodeCommit 的现有客户可以继续正常使用该服务。了解更多
适用于 CodeCommit 的 AWS 托管式策略
要向用户、组和角色添加权限,与自己编写策略相比,使用 AWS 托管式策略更简单。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门,您可以使用我们的 AWS 托管策略。这些策略涵盖常见使用案例,可在您的 AWS 账户 中使用。有关 AWS 托管策略的更多信息,请参阅《IAM 用户指南》中的AWS 托管策略。
AWS 服务负责维护和更新 AWS 托管式策略。您无法更改 AWS 托管式策略中的权限。服务偶尔会向 AWS 托管式策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新特征或新操作可用时,服务最有可能会更新 AWS 托管式策略。服务不会从 AWS 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。
此外,AWS 还支持跨多种服务的工作职能的托管式策略。例如,ReadOnlyAccess AWS 托管式策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新特征时,AWS 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 AWS 托管式策略。
AWS通过提供由AWS创建和管理的独立 IAM 策略来满足许多常用案例的要求。这些 AWS 托管策略将授予针对常用案例的必要权限。CodeCommit 的托管式策略还提供在其他服务(如 IAM、Amazon SNS 和 Amazon CloudWatch Events)中执行操作的权限,这是授予了相关策略的用户职责所必需的。例如,AWSCodeCommitFullAccess 策略是管理级用户策略,允许具有此策略的用户为存储库创建和管理 CloudWatch Events 规则(名称前缀为 codecommit 的规则),并为存储库相关事件通知创建和管理 Amazon SNS 主题(名称前缀为 codecommit 的主题),以及在 CodeCommit 中管理存储库。
以下 AWS 托管式策略(可附加到账户中的用户)专门用于 CodeCommit。
AWS 托管式策略:AWSCodeCommitFullAccess
您可以将 AWSCodeCommitFullAccess 策略附加到 IAM 身份。此策略授予对 CodeCommit 的完全访问权限。仅将此策略应用于您希望向其授予对 CodeCommit 存储库及您的 Amazon Web Services 账户中相关资源的完全控制权限(包括删除存储库的能力)的管理级用户。
AWSCodeCommitFullAccess 策略包含以下策略声明:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:*"
],
"Resource": "*"
},
{
"Sid": "CloudWatchEventsCodeCommitRulesAccess",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:ListTargetsByRule"
],
"Resource": "arn:aws:events:*:*:rule/codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionReadAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes"
],
"Resource": "*"
},
{
"Sid": "LambdaReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyConsoleAccess",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMUserSSHKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMSelfManageServiceSpecificCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
}
]
}
AWS 托管式策略:AWSCodeCommitPowerUser
您可以将 AWSCodeCommitPowerUser 策略附加到您的 IAM 身份。此策略允许用户访问 CodeCommit 的所有功能和存储库相关资源,但不允许用户删除 CodeCommit 存储库或在其他 AWS 服务(如 Amazon CloudWatch Events)中创建或删除存储库相关资源。建议对大多数用户应用此策略。
AWSCodeCommitPowerUser 策略包含以下策略声明:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:AssociateApprovalRuleTemplateWithRepository",
"codecommit:BatchAssociateApprovalRuleTemplateWithRepositories",
"codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories",
"codecommit:BatchGet*",
"codecommit:BatchDescribe*",
"codecommit:Create*",
"codecommit:DeleteBranch",
"codecommit:DeleteFile",
"codecommit:Describe*",
"codecommit:DisassociateApprovalRuleTemplateFromRepository",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:Get*",
"codecommit:List*",
"codecommit:Merge*",
"codecommit:OverridePullRequestApprovalRules",
"codecommit:Put*",
"codecommit:Post*",
"codecommit:TagResource",
"codecommit:Test*",
"codecommit:UntagResource",
"codecommit:Update*",
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": "*"
},
{
"Sid": "CloudWatchEventsCodeCommitRulesAccess",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:ListTargetsByRule"
],
"Resource": "arn:aws:events:*:*:rule/codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionAccess",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "arn:aws:sns:*:*:codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionReadAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes"
],
"Resource": "*"
},
{
"Sid": "LambdaReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyConsoleAccess",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMUserSSHKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMSelfManageServiceSpecificCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
}
]
}
AWS 托管式策略:AWSCodeCommitReadOnly
您可以将 AWSCodeCommitReadOnly 策略附加到 IAM 身份。该策略授予对 CodeCommit 和其他 AWS 服务中存储库相关资源的只读访问权限,以及创建和管理他们自己的 CodeCommit 相关资源(如供 IAM 用户访问存储库时使用的 Git 凭证和 SSH 密钥)的权限。针对希望向其授予读取存储库内容的能力但不能对内容进行任何更改的用户,应用此策略。
AWSCodeCommitReadOnly 策略包含以下策略声明:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"codecommit:BatchGet*",
"codecommit:BatchDescribe*",
"codecommit:Describe*",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:Get*",
"codecommit:List*",
"codecommit:GitPull"
],
"Resource":"*"
},
{
"Sid":"CloudWatchEventsCodeCommitRulesReadOnlyAccess",
"Effect":"Allow",
"Action":[
"events:DescribeRule",
"events:ListTargetsByRule"
],
"Resource":"arn:aws:events:*:*:rule/codecommit*"
},
{
"Sid":"SNSSubscriptionAccess",
"Effect":"Allow",
"Action":[
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes"
],
"Resource":"*"
},
{
"Sid":"LambdaReadOnlyListAccess",
"Effect":"Allow",
"Action":[
"lambda:ListFunctions"
],
"Resource":"*"
},
{
"Sid":"IAMReadOnlyListAccess",
"Effect":"Allow",
"Action":[
"iam:ListUsers"
],
"Resource":"*"
},
{
"Sid":"IAMReadOnlyConsoleAccess",
"Effect":"Allow",
"Action":[
"iam:ListAccessKeys",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:GetSSHPublicKey"
],
"Resource":"arn:aws:iam::*:user/${aws:username}"
},
{
"Sid":"CodeStarNotificationsReadOnlyAccess",
"Effect":"Allow",
"Action":[
"codestar-notifications:DescribeNotificationRule"
],
"Resource":"*",
"Condition":{
"ArnLike":{
"codestar-notifications:NotificationsForResource":"arn:aws:codecommit:us-east-2:111122223333:*"
}
}
},
{
"Sid":"CodeStarNotificationsListAccess",
"Effect":"Allow",
"Action":[
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource":"*"
},
{
"Sid": "AmazonCodeGuruReviewerReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
}
]
}
CodeCommit 托管式策略和通知
AWS CodeCommit 支持通知功能,可以向用户通知存储库的重要更改。CodeCommit 的托管式策略包含通知功能的策略语句。有关更多信息,请参阅什么是通知?。
完全访问托管策略中的通知的相关权限
AWSCodeCommitFullAccess 托管策略包含以下语句,以允许对通知进行完全访问。应用此托管策略的用户还可以创建和管理用于通知的 Amazon SNS 主题、为用户订阅和取消订阅主题、列出要选择作为通知规则目标的主题,以及列出在聊天应用程序客户端中为 Slack 配置的 Amazon Q 开发者版。
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource,"
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
只读托管策略中的通知的相关权限
AWSCodeCommitReadOnlyAccess 托管策略包含以下语句,以允许对通知进行只读访问。应用此托管策略的用户可以查看资源的通知,但无法创建、管理或订阅这些通知。
{
"Sid": "CodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource": "*"
}
其他托管策略中的通知的相关权限
AWSCodeCommitPowerUser 托管策略包含以下语句,以允许用户创建、编辑和订阅通知。用户无法删除通知规则或管理资源的标签。
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
有关 IAM 和通知的更多信息,请参阅 AWS CodeStar 通知的身份和访问管理。
AWS CodeCommit 托管式策略和 Amazon CodeGuru Reviewer
CodeCommit 支持 Amazon CodeGuru Reviewer,后者是一项自动代码审查服务,它使用程序分析和机器学习来检测 Java 或 Python 代码中的常见问题并提供修复建议。CodeCommit 托管式策略包含针对 CodeGuru Reviewer 功能的策略语句。有关更多信息,请参阅什么是 Amazon CodeGuru Reviewer。
AWSCodeCommitFullAccess 中与 CodeGuru Reviewer 相关的权限
AWSCodeCommitFullAccess 托管式策略包含以下语句,以允许将 CodeGuru Reviewer 与 CodeCommit 存储库关联和取消关联。应用此托管式策略的用户还可以查看 CodeCommit 存储库与 CodeGuru Reviewer 之间的关联状态,并查看拉取请求的审核作业状态。
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
}
AWSCodeCommitPowerUser 中与 CodeGuru Reviewer 相关的权限
AWSCodeCommitPowerUser 托管式策略包含以下语句,以允许用户将存储库与 CodeGuru 关联和取消关联,并查看拉取请求的审核作业状态。
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
}
AWSCodeCommitReadOnly 中与 CodeGuru Reviewer 相关的权限
AWSCodeCommitReadOnlyAccess 托管式策略包括以下语句,允许对 CodeGuru Reviewer 关联状态进行只读访问并查看拉取请求的审核作业状态。应用了此托管策略的用户无法关联或取消关联存储库。
{
"Sid": "AmazonCodeGuruReviewerReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
}
Amazon CodeGuru Reviewer 服务相关角色
当您将存储库与 CodeGuru Reviewer 关联时,系统会创建一个服务相关角色,以便 CodeGuru Reviewer 能检测拉取请求中 Java 或 Python 代码的问题并提供修复建议。该服务相关角色命名为 AWSServiceRoleForAmazonCodeGuruReviewer。有关更多信息,请参阅使用面向 Amazon CodeGuru Reviewer 的服务相关角色。
有关更多信息,请参阅《IAM 用户指南》中的 AWS 托管式策略。
CodeCommit 对 AWS 托管式策略的更新
查看有关自此服务开始跟踪这些更改起,CodeCommit 的 AWS 托管式策略更新的详细信息。要获得有关此页面更改的自动提示,请订阅 AWS CodeCommit 用户指南文档历史记录 的 RSS 源。
| 更改 |
描述 |
日期 |
|
AWS 托管式策略:AWSCodeCommitFullAccess 和 AWS 托管式策略:AWSCodeCommitPowerUser:对现有策略的更新
|
CodeCommit 为这些策略增加了一项权限,以支持在聊天应用程序中使用 Amazon Q 开发者版的额外通知类型。
AWSCodeCommitPowerUser 和 AWSCodeCommitFullAccess 策略已更改,增加了一项权限 chatbot:ListMicrosoftTeamsChannelConfigurations。
|
2023 年 5 月 16 日 |
|
AWS 托管式策略:AWSCodeCommitReadOnly – 对现有策略的更新
|
CodeCommit 从策略中删除了一个重复的权限。
AWSCodeCommitReadOnly 已更改,删除了一个重复权限 "iam:ListAccessKeys"。
|
2021 年 8 月 18 日 |
|
CodeCommit 开始跟踪更改
|
CodeCommit 为其 AWS 托管式策略开启了跟踪更改。
|
2021 年 8 月 18 日 |
