Amazon CodeCatalyst is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [How to migrate from CodeCatalyst](migration.md).
# Allowing access to AWS resources with connected AWS accounts
You can use resources from your AWS accounts in Amazon CodeCatalyst spaces. To do so, you must set up a connection between the AWS accounts and your space in CodeCatalyst. Creating a connection like this means that projects and workflows within your CodeCatalyst space can interact with resources in your AWS accounts. You must create one connection for each AWS account you want to use with your CodeCatalyst space.
After you create a connection, you can choose to associate AWS IAM roles with it.
**Topics**
+ [Adding an AWS account to a space](ipa-connect-account-create.md)
+ [Adding IAM roles to account connections](ipa-connect-account-addroles.md)
+ [Adding the account connection and IAM roles to your deploy environment](ipa-connect-account-addroles-env.md)
+ [Viewing account connections](ipa-connect-account-list.md)
+ [Deleting account connections (in CodeCatalyst)](ipa-connect-account-delete.md)
+ [Configuring a billing account for a space](connect-account-billing-ref.md)
You can set up CodeCatalyst to use authorized AWS accounts by adding the accounts to your space. By adding AWS accounts to your CodeCatalyst space, you can give your project workflows access to AWS account resources and your billing configuration.
Adding an AWS account creates a connection that authorizes CodeCatalyst to use this account. You can use added AWS accounts to do the following:
+ Set up billing for a CodeCatalyst space. See [Managing billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the Amazon CodeCatalyst Administrator Guide. The AWS account that is specified as the billing account for your CodeCatalyst space has different quotas from other account connections for a space. For more information, see [Quotas for CodeCatalyst](quotas.md).
+ Allow CodeCatalyst to assume IAM roles to access AWS resources and deploy to AWS services in the account. See [Configuring IAM roles for connected accounts](spaces-manage-roles.md).
Account connections are created by completing authorization with the AWS account. After the connection is created, you further configure the connection for workflows and projects to use by adding IAM roles.
For the steps to configure account connections in the AWS Management Console page for CodeCatalyst as the administrator for the AWS account and the space, see [Managing connected accounts](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the *CodeCatalyst Administrator Guide*. Account connections can be configured for restriction to specific projects. You can only associate workflows or VPC connections with an AWS account that has access to your project. For more information, see [Configuring project-restricted account connections](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-accounts.html#managing-accounts-restriction).
# Adding an AWS account to a space
You use the CodeCatalyst console and the AWS Management Console to connect your space to an AWS account.
Before adding an AWS account to a space in CodeCatalyst, complete the following prerequisites:
+ Create an AWS account and acquire permissions to create AWS IAM roles in the account you want to connect.
+ Create the IAM role or roles you want to associate with your account connection, including the IAM policies with permissions for the roles.
+ Acquire the **Space administrator** role in the CodeCatalyst space where you want to create the connection.
**Topics**
+ [Step 1: Creating a connection request](#ipa-connect-account-create-request)
+ [Step 2: Accepting an account connection request](#ipa-connect-account-create-accept)
+ [Step 3: Review an approved connection](#ipa-connect-account-create-review)
+ [Step 4: Add IAM roles to your connection](#ipa-connect-account-linkedroles)
+ [Next steps: Create additional IAM roles for your account connection](#ipa-connect-account-next)
## Step 1: Creating a connection request
Creating a connection request in the CodeCatalyst console generates a connection token that you can use to complete authorization.
You must have the **Space administrator** or **Power user** role in the CodeCatalyst space where you want to create the connection. You must also have administrative permissions for the AWS account you want to add.
**To create a connection**
1. In the AWS Management Console, make sure you are logged in with the same account that you want to create a connection with.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Choose **Add an AWS account**.
1. On the **Associate AWS account with Amazon CodeCatalyst** page, in **AWS account ID**, enter the twelve-digit ID for the account you want to connect to your space. For information about finding your AWS account ID, see [Your AWS account ID and its alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html).
1. In **Amazon CodeCatalyst display name**, enter a reference name for the account.
1. (Optional) In **Connection description**, enter a description for the account that will help you choose the projects where the account and role or roles will apply.
1. Choose **Associate AWS account**.
1. The page returns to the **AWS account details** page where a success banner displays.
## Step 2: Accepting an account connection request
After you submit a request in the CodeCatalyst console to connect to your AWS account, you work with your AWS administrator to accept the connection request by submitting it with the provided connection token.
Make sure you have administrator permissions for your account, and you're signed in to the AWS Management Console with the same AWS account for which you're creating the connection.
**To approve a connection request (console)**
1. In the AWS Management Console, make sure you are logged in with the same account that you want to create a connection with.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. On the **AWS account details** page, choose **Complete setup in the AWS Management Console**.
1. The **Verify Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to log in to access the page.
To directly access the page, sign in to the Amazon CodeCatalyst Spaces in the AWS Management Console at https://console.aws.amazon.com/codecatalyst/home/.
The verification token is automatically entered in **Verification token**. A success message shows a message that the token is a valid token.
1. (Optional) Under **Authorized paid tiers**, choose **Authorize paid tiers (Standard, Enterprise)** to turn on the paid tiers for your billing account.
**Note**
This does not upgrade the billing tier to a paid tier. However, this configures the AWS account so that you can change the billing tier for your space at any time in CodeCatalyst. You can turn on the paid tiers at any time. Without making this change, the space is only able to use the Free tier.
1. Choose **Verify space**.
An **Account verified** success message displays to show that the account has been added to the space.
## Step 3: Review an approved connection
After getting a connection approved, you can view the connection in the console, along with the IAM roles you added to it.
**To review an approved connection**
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. The account connection is listed with the date it was created.
1. Choose the account display name. The **AWS account details** page displays.
## Step 4: Add IAM roles to your connection
If you're using an IAM role configured for a CodeCatalyst deploy action, add the role to your deployment environment. For more information, see [Adding IAM roles to account connections](ipa-connect-account-addroles.md).
## Next steps: Create additional IAM roles for your account connection
After you create a connection, you can create additional IAM roles to add to it. The IAM roles that you add are dependent on your workflows. For example, a CodeCatalyst build action requires the CodeCatalyst build role. .
To connect your account, you will need the Amazon Resource Name (ARN) for the roles you created. Copy the ARN for your role or roles as detailed here. For more information about working with ARNs for IAM roles, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).
To access your IAM role ARN
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you want to add.
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **Role ARN** value.
# Adding IAM roles to account connections
Part of creating your account connection includes adding the IAM role or roles you want to use with projects in your CodeCatalyst space.
**Note**
To use IAM roles with an account connection, make sure that the trust policy is updated to use the CodeCatalyst service principal.
**Add IAM roles to an account connection (console)**
1. In the AWS Management Console, make sure you are logged in with the same account that you want to manage.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Choose the **Amazon CodeCatalyst display name** of your account connection, and then choose **Manage roles from AWS Management Console**.
The **Add IAM role to Amazon CodeCatalyst space** page displays.
1. Do one of the following:
+ To create a service role that contains the permissions policy and trust policy for the developer role, choose **Create CodeCatalyst development administrator role in IAM**. The role will have a name `CodeCatalystWorkflowDevelopmentRole-spaceName` with a unique identifier appended. For more information about the role and role policy, see [Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role](ipa-iam-roles.md#ipa-iam-roles-service-role).
Choose **Create development role**.
+ To add a role that you have already created in IAM, choose **Add an existing IAM role**. In **Select existing IAM role**, choose the role from the drop-down list.
Choose **Add role**.
The page opens in the AWS Management Console. You might need to log in to access the page.
1. In the **Amazon CodeCatalyst spaces** page navigation pane, choose **Spaces**.
To directly access the page, sign in to the Amazon CodeCatalyst Spaces in the AWS Management Console at https://console.aws.amazon.com/codecatalyst/home/.
1. Choose the account added for your CodeCatalyst space. The connection page is shown.
1. On the connection page, under **IAM roles available to CodeCatalyst**, view the list of IAM roles added to your account. Choose **Associate IAM role to CodeCatalyst**.
1. On the **Associate an IAM role** pop-up, in **Role ARN**, enter the Amazon Resource Name (ARN) of the IAM role you want to associate with your CodeCatalyst space.
Under **Purpose**, choose a role purpose that describes how you want to use the role in your account connection. Specify `RUNNER` for roles that you use to run actions in workflows. Specify `SERVICE` for roles that you use to access another service.
You can specify more than one purpose.
**Note**
Choosing a purpose for the role ARN is required.
1. Choose **Associate an IAM role**. Repeat these steps for additional IAM roles.
# Adding the account connection and IAM roles to your deploy environment
To access AWS resources, such as Amazon ECS or AWS Lambda resources for deployments, CodeCatalyst build and deploy actions require IAM roles with permissions to access those resources. With the **Space administrator** or **Power user** role, you can connect your CodeCatalyst account to the AWS account where your resources are created. You then add the IAM role to your account connection. For deploy actions, you must then add the IAM role to a CodeCatalyst environment.
You must add the IAM roles that you want to use with deployment environments in your projects. Adding the roles to the account connection does not add the roles and the connection to the project deploy environments. To add your account connection and IAM roles to your deploy environment, make sure that the account connection and roles are created as detailed in [Step 4: Add IAM roles to your connection](ipa-connect-account-create.md#ipa-connect-account-linkedroles).
Then, use the **Environments** page in the CodeCatalyst console to add your account connection and IAM role to a deploy environment in a project.
**Note**
You only add an IAM role to an environment if the IAM role is used for a CodeCatalyst action that requires an IAM role. All workflow actions that require IAM roles, including build actions, must use a CodeCatalyst environment.
To add your account connection and IAM roles to your deploy environment
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to the project with the deployment environment where you want to add the account connection and IAM roles.
1. Expand **CI/CD**, and then choose **Environments**.
1. Choose your environment, and then the additional tabs display.
1. Choose the **AWS account connections** tab. Under **Connection name**, the accounts that have been added to the environment, if any, are listed.
1. Choose **Associate AWS account**. The **Associate AWS account with ** page displays.
1. Under **Connection**, choose the name of the account connection with the IAM roles that you want to add. Choose **Associate**.
# Viewing account connections
You can view a list of your connections and view details about each connection.
You must have the **Space administrator** or **Power user** role to manage connections for your space.
**To view all connections for a CodeCatalyst space**
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to the space with the account connection that you want to view.
1. Choose the **AWS accounts** tab.
1. Under **AWS accounts**, view the list of account connections for the space, including the account ID and status for each connection.
**To view account connection details**
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. In **Amazon CodeCatalyst display name**, choose the connection name. On the **Details** page, view the list of IAM roles associated with the connection along with other details.
# Deleting account connections (in CodeCatalyst)
You can delete an account connection that you no longer need. For this procedure, you will use CodeCatalyst to delete an account connection that you have previously added to your space. This deletes the account connection from your space, provided that the account is not the billing account for the space.
**Important**
After an account connection is deleted, you cannot reconnect it. You must create a new account connection and then associate IAM roles and environments, or set up billing, as needed.
A billing account must be designated for your CodeCatalyst space, even if usage for the space will not exceed the Free tier. Before you can remove a space for an account that is a designated billing account, you will need to add another account for your space. See [Managing billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the Amazon CodeCatalyst Administrator Guide.
**Important**
While you can use these steps to remove an account, this is not recommended. The account might also be set up to support workflows in CodeCatalyst.
To manage account connections for your space, you must have the **Space administrator** or **Power user** role.
An account that has been removed can be added again later, but you must create a new connection between the account and the space. You will need to re-associate any IAM roles to the added account.
**To delete an account connection**
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Under **Amazon CodeCatalyst display name**, choose the selector next to the account connection that you want to remove.
1. Choose **Remove AWS account**. Confirm the deletion by entering the name in the field, and then choose **Remove**.
A success banner displays, and the account connection is removed from the list of connections.
# Configuring a billing account for a space
A billing account must be designated for your CodeCatalyst space, even if usage for the space will not exceed the Free tier.
To configure a billing account, see [Billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the *CodeCatalyst Administrator Guide*. The AWS account that is specified as the billing account for your CodeCatalyst space has different quotas from other account connections for a space. For more information, see [Quotas for CodeCatalyst](quotas.md).
To remove an account that is a designated billing account for your CodeCatalyst space, make sure to first specify a new billing account.