Identity and Access Management and Amazon CodeCatalyst
In Amazon CodeCatalyst, you create and use an AWS Builder ID in order to sign in and access your spaces and projects. An AWS Builder ID is not an identity in AWS Identity and Access Management (IAM) and does not exist in an AWS account. However, CodeCatalyst does integrate with IAM when verifying a space for billing purposes, and when connected to an AWS account to create and use resources in that AWS account.
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use resources. IAM is an AWS service that you can use with no additional charge.
When you create a space in Amazon CodeCatalyst, you must connect an AWS account as the billing account for your space. You must have administrator permissions in the AWS account to verify the CodeCatalyst space, or have the permission. You also have the option to add an IAM role for your space that CodeCatalyst can use to create and access resources in that connected AWS account. This is called a service role. You can choose to create connections to more than one AWS account and create service roles for CodeCatalyst in each of those accounts.
Note
Billing for CodeCatalyst takes place in the AWS account designated as the billing account. However, if you create a CodeCatalyst service role in that AWS account or in any other connected AWS account, resources created and used by the CodeCatalyst service role will be billed in that connected AWS account. For more information, see Managing billing in the Amazon CodeCatalyst Administrator Guide.
Topics
- Identity-based policies in IAM
- Policy actions in IAM
- Policy resources in IAM
- Policy condition keys in IAM
- Identity-based policy examples for CodeCatalyst connections
- Using tags to control access to account connection resources
- CodeCatalyst permissions reference
- Using service-linked roles for CodeCatalyst
- AWS managed policies for Amazon CodeCatalyst
- Grant access to project AWS resources with IAM roles
Identity-based policies in IAM
Identity-based policies are JSON permissions policy documents that you can attach to an identity. That identity could be a user, a group of users, or a role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Creating IAM policies in the IAM User Guide.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. You can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached. To learn about all of the elements that you can use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide.
Identity-based policy examples for CodeCatalyst
To view examples of CodeCatalyst identity-based policies, see Identity-based policy examples for CodeCatalyst connections.
Policy actions in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform which actions on what resources, and under what conditions.
The Action
element of a JSON policy describes the actions that you can use
to allow or deny access in a policy. Policy actions usually have the same name as the
associated AWS API operation. There are some exceptions, such as
permission-only actions that don't have a matching API
operation. There are also some operations that require multiple actions in a policy. These
additional actions are called dependent actions.
To specify multiple actions in a single statement, separate them with commas.
"Action": [ "prefix:
action1
", "prefix:action2
" ]
Policy resources in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform which actions on what resources, and under what conditions.
The Resource
JSON policy element specifies the object or objects to which
the action applies. Statements must include either a Resource
or a
NotResource
element. As a best practice, specify a resource using its
Amazon Resource Name
(ARN). You can do this for actions that support a specific resource type, known
as resource-level permissions.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.
"Resource": "*"
Policy condition keys in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform which actions on what resources, and under what conditions.
The Condition
element (or Condition
block) lets you specify conditions in which a statement
is in effect. The Condition
element is optional. You can create conditional
expressions that use condition
operators, such as equals or less than, to match the condition in the policy
with values in the request.
If you specify multiple Condition
elements in a statement, or multiple keys
in a single Condition
element, AWS evaluates them using a logical
AND
operation. If you specify multiple values for a single condition key, AWS
evaluates the condition using a logical OR
operation. All of the conditions must
be met before the statement's permissions are granted.
You can also use placeholder variables when you specify conditions. For more information, see IAM policy elements: variables and tags in the IAM User Guide.
AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.
Identity-based policy examples for CodeCatalyst connections
In CodeCatalyst, AWS accounts are required to manage billing for a space and to access resources in project workflows. An account connection is used to authorize adding AWS accounts to a space. Identity-based polices are used in the connected AWS accounts.
By default, users and roles don't have permission to create or modify CodeCatalyst resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies for users that require them.
The following example IAM policies grant permissions for actions related to account connections. Use them to limit access for connecting accounts to CodeCatalyst.
Example 1: Allow a user to accept connection requests in a single AWS Region
The following permissions policy only allows users to view and accept requests for connections between CodeCatalyst and AWS accounts. In addition, the policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. To view and approve the request, the user signs in to the AWS Management Console with the same account as that specified in the request.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecatalyst:AcceptConnection", "codecatalyst:GetPendingConnection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-2" } } } ] }
Example 2: Allow managing connections in the console for a single AWS Region
The following permissions policy allows users to manage connections between CodeCatalyst
and AWS accounts in a single Region. The policy uses a condition to only allow the
actions in the us-west-2 Region and not from other AWS Regions. After you create a
connection, you can create the CodeCatalystWorkflowDevelopmentRole-spaceName
role by choosing the option in the AWS Management Console.
In the example policy, the condition for the iam:PassRole
action includes
the service principals for CodeCatalyst. Only roles with that access will be
created
in the AWS Management Console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecatalyst:*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-2" } } }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "codecatalyst.amazonaws.com", "codecatalyst-runner.amazonaws.com" ] } } } ] }
Example 3: Deny managing connections
The following permissions policy denies users any ability to manage connections between CodeCatalyst and AWS accounts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecatalyst:*" ], "Resource": "*" } ] }
CodeCatalyst permissions reference
This section provides a permissions reference for actions used with the account connection resource for AWS accounts that are connected to CodeCatalyst. The following section describes permissions-only actions that are related to connecting accounts.
Required permissions for account connections
The following permissions are required for working with account connections.
CodeCatalyst permissions for account connections | Required permissions | Resources |
---|---|---|
AcceptConnection | Required to accept a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. |
Supports only a wildcard (*) in the policy |
AssociateIamRoleToConnection | Required to associate an IAM role to an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
DeleteConnection | Required to delete an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
DisassociateIamRoleFromConnection | Required to disassociate an IAM role from an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
GetBillingAuthorization | Required to describe the billing authorization for an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
GetConnection | Required to get an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
GetPendingConnection | Required to get a pending request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. |
Supports only a wildcard (*) in the policy |
ListConnections | Required to list account connections that are not pending. This is an IAM policy permission only, not an API action. |
Supports only a wildcard (*) in the policy |
ListIamRolesForConnection | Required to list IAM roles associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
ListTagsForResource | Required to list tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
PutBillingAuthorization | Required to create or update the billing authorization for an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
RejectConnection | Required to reject a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. |
Supports only a wildcard (*) in the policy |
TagResource | Required to create or edit tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
UntagResource | Required to remove tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
Required permissions for IAM Identity Center applications
The following permissions are required for working with IAM Identity Center applications.
CodeCatalyst permissions for IAM Identity Center applications | Required permissions | Resources |
---|---|---|
AssociateIdentityCenterApplicationToSpace | Required to associate an IAM Identity Center application with a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
AssociateIdentityToIdentityCenterApplication | Required to associate an identity with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
BatchAssociateIdentitiesToIdentityCenterApplication | Required to associate multiple identities with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
BatchDisassociateIdentitiesFromIdentityCenterApplication | Required to disassociate multiple identities from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
CreateIdentityCenterApplication | Required to create an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
CreateSpaceAdminRoleAssignment | Required to create an administrator role assignment for a given CodeCatalyst space and IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
DeleteIdentityCenterApplication | Required to delete an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
DisassociateIdentityCenterApplicationFromSpace | Required to disassociate an IAM Identity Center application from a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
DisassociateIdentityFromIdentityCenterApplication | Required to disassociate an identity from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
GetIdentityCenterApplication | Required to get information about an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
ListIdentityCenterApplications | Required to view a list of all IAM Identity Center applications in the account. This is an IAM policy permission only, not an API action. |
Supports only a wildcard (*) in the policy |
ListIdentityCenterApplicationsForSpace | Required to view a list of IAM Identity Center applications by CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
ListSpacesForIdentityCenterApplication | Required to view a list of CodeCatalyst spaces by IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
SynchronizeIdentityCenterApplication | Required to synchronize an IAM Identity Center application with the backing identity store. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |
UpdateIdentityCenterApplication | Required to update an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region: |