本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # AWS CodeStar 通知的权限和示例 以下政策声明和示例可以帮助您管理 AWS CodeStar 通知。 ## 完全访问托管策略中的通知的相关权限 **AWSCodeCommitFullAccess**、**AWSCodeBuildAdminAccess**AWSCodeDeployFullAccess****、和**AWSCodePipeline\$1FullAccess**托管策略包括以下语句,允许在开发者工具控制台中完全访问通知。已应用其中一项托管策略的用户还可以创建和管理通知的 Amazon SNS 主题、为用户订阅和取消订阅主题以及列出要选择作为通知规则目标的主题。 **注意** 在托管策略中,条件键 `codestar-notifications:NotificationsForResource` 将具有特定于服务的资源类型的值。例如,在的完全访问策略中 CodeCommit,值为`arn:aws:codecommit:*`。 ``` { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" } ``` ## 只读托管策略中的通知的相关权限 **AWSCodeCommitReadOnlyAccess**、**AWSCodeBuildReadOnlyAccess**AWSCodeDeployReadOnlyAccess****、和**AWSCodePipeline\$1ReadOnlyAccess**托管策略包括以下语句,允许对通知进行只读访问。例如,它们可以在 开发工具控制台中查看资源的通知,但无法创建、管理或订阅这些通知。 **注意** 在托管策略中,条件键 `codestar-notifications:NotificationsForResource` 将具有特定于服务的资源类型的值。例如,在的完全访问策略中 CodeCommit,值为`arn:aws:codecommit:*`。 ``` { "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" } ``` ## 其他托管策略中的通知的相关权限 **AWSCodeCommitPowerUser**AWSCodeBuildDeveloperAccess****、和**AWSCodeBuildDeveloperAccess**托管策略包括以下声明,允许应用其中一个托管策略的开发者创建、编辑和订阅通知。他们无法删除通知规则或管理资源的标签。 **注意** 在托管策略中,条件键 `codestar-notifications:NotificationsForResource` 将具有特定于服务的资源类型的值。例如,在的完全访问策略中 CodeCommit,值为`arn:aws:codecommit:*`。 ``` { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" } ``` ## 示例:用于管理通知的管理员级别策略 AWS CodeStar 在此示例中,您想向 AWS 账户中的 IAM 用户授予对 AWS CodeStar 通知的完全访问权限,以便该用户可以查看通知规则的详细信息并列出通知规则、目标和事件类型。您还想要允许该用户添加、更新和删除通知规则。这是一个完全访问策略,等同于、**AWSCodeBuildAdminAccess**AWSCodeCommitFullAccess**AWSCodeDeployFullAccess******、和**AWSCodePipeline\$1FullAccess**托管策略中包含的通知权限。与这些托管策略一样,您只应将此类政策声明附加到需要对整个 AWS 账户中的通知和通知规则具有完全管理权限的 IAM 用户、群组或角色。 **注意** 此策略包含允许 `CreateNotificationRule`。将此策略应用于其 IAM 用户或角色的任何用户都可以为 AWS 账户中通知支持的任何和所有资源类型创建 AWS CodeStar 通知规则,即使该用户自己无权访问这些资源也是如此。例如,拥有此策略的用户可以在没有访问权限的情况下为 CodeCommit 仓库创建通知 CodeCommit规则。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AWSCodeStarNotificationsFullAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:ListNotificationRules", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe", "codestar-notifications:DeleteTarget", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:TagResource", "codestar-notifications:UntagResource" ], "Resource": "*" } ] } ``` ------ ## 示例:用于使用通知的贡献者级别策略 AWS CodeStar 在此示例中,您希望授予 day-to-day使用 AWS CodeStar 通知的权限,例如创建和订阅通知,但不允许授予更具破坏性的操作的访问权限,例如删除通知规则或目标。这等同于**AWSCodeBuildDeveloperAccess**AWSCodeDeployDeveloperAccess****、和**AWSCodeCommitPowerUser**托管策略中提供的访问权限。 **注意** 此策略包含允许 `CreateNotificationRule`。将此策略应用于其 IAM 用户或角色的任何用户都可以为 AWS 账户中通知支持的任何和所有资源类型创建 AWS CodeStar 通知规则,即使该用户自己无权访问这些资源也是如此。例如,拥有此策略的用户可以在没有访问权限的情况下为 CodeCommit 仓库创建通知 CodeCommit规则。 ``` { "Version": "2012-10-17", "Sid": "AWSCodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:ListNotificationRules", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource" ], "Resource": "*" } ] } ``` ## 示例:使用 AWS CodeStar 通知的 read-only-level策略 在此示例中,您要向您账户中的 IAM 用户授予对 AWS 账户中的通知规则、目标和事件类型的只读访问权限。该示例说明了如何创建策略以允许查看这些项。这等同于**AWSCodeBuildReadOnlyAccess**AWSCodeCommitReadOnly****、和**AWSCodePipeline\$1ReadOnlyAccess**托管策略中包含的权限。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "CodeNotificationforReadOnly", "Statement": [ { "Sid": "ReadsAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule", "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListEventTypes" ], "Resource": "*" } ] } ``` ------