AWS CodeArtifact permissions reference
AWS CodeArtifact resources and operations
In AWS CodeArtifact, the primary resource is a domain. In a policy, you use an Amazon Resource Name (ARN) to identify the resource the policy applies to. Repositories are also resources and have ARNs associated with them. For more information, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
| Resource type | ARN format |
|---|---|
| Domain |
|
| Repository |
|
| Package group |
|
| Package with a namespace |
|
| Package without a namespace |
|
|
All CodeArtifact resources |
|
|
All CodeArtifact resources owned by the specified account in the specified AWS Region |
|
Which resource ARN you specify depends on which action or actions you want to control access to.
You can indicate a specific domain (myDomain)
in your statement using its ARN as follows.
"Resource": "arn:aws:codeartifact:us-east-2:123456789012:domain/myDomain"
You can indicate a specific repository (myRepo)
in your statement using its ARN as follows.
"Resource": "arn:aws:codeartifact:us-east-2:123456789012:domain/myDomain/myRepo"
To specify multiple resources in a single statement, separate their ARNs with commas. The following statement applies to all packages and repositories in a specific domain.
"Resource": [ "arn:aws:codeartifact:us-east-2:123456789012:domain/myDomain", "arn:aws:codeartifact:us-east-2:123456789012:repository/myDomain/*", "arn:aws:codeartifact:us-east-2:123456789012:package/myDomain/*" ]
Note
Many AWS services treat a colon (:) or a forward slash (/) as the same character in ARNs. However, CodeArtifact uses an exact match in resource patterns and rules. Be sure to use the correct characters when you create event patterns so that they match the ARN syntax in the resource.
AWS CodeArtifact API operations and permission
You can use the following table as a reference when you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies).
You can use AWS-wide condition keys in your AWS CodeArtifact policies to express conditions. For a list, see IAM JSON Policy Elements Reference in the IAM User Guide.
You specify the actions in the policy's Action field. To specify an
action, use the codeartifact: prefix followed by the API operation name (for
example, codeartifact:CreateDomain and
codeartifact:AssociateExternalConnection). To specify multiple actions in a single
statement, separate them with commas (for example, "Action": [
"codeartifact:CreateDomain", "codeartifact:AssociateExternalConnection" ]).
Using wildcard characters
You specify an ARN, with or without a wildcard character (*), as the resource value in
the policy's Resource field. You can use a wildcard to specify multiple
actions or resources. For example, codeartifact:* specifies all CodeArtifact actions
and codeartifact:Describe* specifies all CodeArtifact actions that begin with the
word Describe.
| AWS CodeArtifact API operations | Required permissions (API actions) | Resources |
|---|---|---|
AssociateExternalConnection |
Required to add an external connection to a repository. |
|
CopyPackageVersions |
To copy package versions from a source repository to a destination repository:
Required on the destination repository.
Required on the source repository. |
|
CreateDomain |
Required to create domains.
Required on the supplied KMS key when specifying a non-default |
|
CreatePackageGroup |
Required to create package groups. |
|
CreateRepository |
Required to create repositories.
Required on a repository so it can be added as an upstream repository to downstream repositories. |
|
DeleteDomain |
Required to delete domains. |
|
DeleteDomainPermissionsPolicy |
Required to delete a domain's resource policy. |
|
DeletePackage |
Required to delete a package. |
|
DeletePackageGroup |
Required to delete a package group. |
|
DeletePackageVersions |
Required to delete versions of a package. |
|
DeleteRepository |
Required to delete a repository. |
|
DeleteRepositoryPermissionsPolicy |
Required to delete a repository's resource policy. |
|
DescribeDomain |
Required to get information about a domain. |
|
DescribePackage |
Required to get information about a package. |
|
DescribePackageGroup |
Required to get information about a package group. |
|
DescribePackageVersion |
Required to get information about a package version. |
|
DescribeRepository |
Required to get information about a repository. |
|
DisassociateExternalConnection |
Required to remove an external connection from a repository. |
|
DisposePackageVersions |
Required to dispose versions of a package. |
|
GetAssociatedPackageGroup |
Required to get the associated package group of a package. |
|
GetAuthorizationToken |
Required to get a temporary authorization token for accessing repositories. |
|
GetDomainPermissionsPolicy |
Required to get a domain resource policy. |
|
GetPackageVersionAsset |
Required to get assets in a package version. |
arn:aws:codeartifact: |
GetPackageVersionReadme |
Required to get the readme of a package version. |
|
GetRepositoryEndpoint |
Required to get a repository endpoint. |
|
GetRepositoryPermissionsPolicy |
Required to get a repository resource policy. |
|
ListAssociatedPackages |
Required to return a list of packages associated with a package group. |
|
ListDomains |
Required to return a paginated list of domains in an AWS account. |
|
ListPackageGroups |
Required to return a paginated list of package groups in a domain. |
|
ListPackages |
Required to return a paginated list of packages in a repository. |
|
ListPackageVersionAssets |
Required to return a paginated list of assets in a package version. |
|
ListPackageVersionDependencies |
Required to return a paginated list of a package version's dependencies. |
|
ListPackageVersions |
Required to return a paginated list of package versions in a repository. |
|
ListRepositories |
Required to return a paginated list of repositories in an AWS account. |
|
ListRepositoriesInDomain |
Required to return a paginated list of repositories in a domain. |
|
ListSubPackageGroups |
Required to return a list of direct child package groups of a package group. |
|
ListTagsForResource |
Required to list tags for a specified resource. |
|
PublishPackageVersion |
Required to publish a package version to a repository. |
|
PutDomainPermissionsPolicy |
Required to add a resource policy to a domain. |
|
PutPackageMetadata |
Required to publish Maven package versions to a repository, or to add or remove npm tags from npm package versions. |
|
PutPackageOriginConfiguration |
Required to update a package's origin configuration. |
|
PutRepositoryPermissionsPolicy |
Required to add a resource policy to a repository. |
|
ReadFromRepository |
Required to read from a repository using a package manager client. |
|
TagResource |
Required to tag a resource. |
|
UntagResource |
Required to remove a tag from a resource. |
|
UpdatePackageGroup |
Required to update a package group. |
|
UpdatePackageGroupOriginConfiguration |
Required to update a package group's origin configuration. |
|
UpdatePackageVersionsStatus |
Required to change the status of a package version. |
|
UpdateRepository |
Required to update a repository's description or upstream connections. See Modify a repository upstream configuration or UpdateRepository in the CodeArtifact API Guide for more information.
Required on a repository so it can be added as an upstream repository to downstream repositories. |
|
Package group ARNs
Note
This section about how package group ARNs and pattern encoding is informational. It is recommended to copy ARNs
from the console, or fetch ARNs using the DescribePackageGroup API instead of encoding patterns and constructing ARNs.
IAM policies use the wildcard character, *, to match multiple IAM actions or multiple resources. Package group patterns
also use the * character. In order to more easily write IAM policies that match a
single package group, the package group ARN format uses an encoded version of the package group pattern.
Specifically, the package group ARN format is as follows:
arn:aws:codeartifact:region:account-ID:package-group/my_domain/encoded_package_group_pattern
Where the encoded package group pattern is the package group pattern, with certain special characters replaced with their percent-encoded values. The following list contains the characters and their corresponding percent-encoded values:
*:%2a$:%24%:%25
For example, the ARN for a root package group of a domain, (/*), would be:
arn:aws:codeartifact:us-east-1:111122223333:package-group/my_domain/%2a
Note that characters not included in the list can not be encoded, and ARNs are case-sensitive, so * must
be encoded as %2a and not %2A.
