Identity and Access Management and Amazon CodeCatalyst - Amazon CodeCatalyst

Identity and Access Management and Amazon CodeCatalyst

In Amazon CodeCatalyst, you create and use an AWS Builder ID in order to sign in and access your spaces and projects. An AWS Builder ID is not an identity in AWS Identity and Access Management (IAM) and does not exist in an AWS account. However, CodeCatalyst does integrate with IAM when verifying a space for billing purposes, and when connected to an AWS account to create and use resources in that AWS account.

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use resources. IAM is an AWS service that you can use with no additional charge.

When you create a space in Amazon CodeCatalyst, you must connect an AWS account as the billing account for your space. You must have administrator permissions in the AWS account to verify the CodeCatalyst space, or have the permission. You also have the option to add an IAM role for your space that CodeCatalyst can use to create and access resources in that connected AWS account. This is called a service role. You can choose to create connections to more than one AWS account and create service roles for CodeCatalyst in each of those accounts.

Note

Billing for CodeCatalyst takes place in the AWS account designated as the billing account. However, if you create a CodeCatalyst service role in that AWS account or in any other connected AWS account, resources created and used by the CodeCatalyst service role will be billed in that connected AWS account. For more information, see Managing billing in the Amazon CodeCatalyst Administrator Guide.

Identity-based policies in IAM

Identity-based policies are JSON permissions policy documents that you can attach to an identity. That identity could be a user, a group of users, or a role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Creating IAM policies in the IAM User Guide.

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. You can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached. To learn about all of the elements that you can use in a JSON policy, see IAM JSON policy elements reference in the IAM User Guide.

Identity-based policy examples for CodeCatalyst

To view examples of CodeCatalyst identity-based policies, see Identity-based policy examples for CodeCatalyst connections.

Policy actions in IAM

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform which actions on what resources, and under what conditions.

The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called dependent actions.

To specify multiple actions in a single statement, separate them with commas.

"Action": [ "prefix:action1", "prefix:action2" ]

Policy resources in IAM

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform which actions on what resources, and under what conditions.

The Resource JSON policy element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. As a best practice, specify a resource using its Amazon Resource Name (ARN). You can do this for actions that support a specific resource type, known as resource-level permissions.

For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.

"Resource": "*"

Policy condition keys in IAM

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform which actions on what resources, and under what conditions.

The Condition element (or Condition block) lets you specify conditions in which a statement is in effect. The Condition element is optional. You can create conditional expressions that use condition operators, such as equals or less than, to match the condition in the policy with values in the request.

If you specify multiple Condition elements in a statement, or multiple keys in a single Condition element, AWS evaluates them using a logical AND operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical OR operation. All of the conditions must be met before the statement's permissions are granted.

You can also use placeholder variables when you specify conditions. For more information, see IAM policy elements: variables and tags in the IAM User Guide.

AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.

Identity-based policy examples for CodeCatalyst connections

In CodeCatalyst, AWS accounts are required to manage billing for a space and to access resources in project workflows. An account connection is used to authorize adding AWS accounts to a space. Identity-based polices are used in the connected AWS accounts.

By default, users and roles don't have permission to create or modify CodeCatalyst resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies for users that require them.

The following example IAM policies grant permissions for actions related to account connections. Use them to limit access for connecting accounts to CodeCatalyst.

Example 1: Allow a user to accept connection requests in a single AWS Region

The following permissions policy only allows users to view and accept requests for connections between CodeCatalyst and AWS accounts. In addition, the policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. To view and approve the request, the user signs in to the AWS Management Console with the same account as that specified in the request.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecatalyst:AcceptConnection", "codecatalyst:GetPendingConnection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-2" } } } ] }

Example 2: Allow managing connections in the console for a single AWS Region

The following permissions policy allows users to manage connections between CodeCatalyst and AWS accounts in a single Region. The policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. After you create a connection, you can create the CodeCatalystWorkflowDevelopmentRole-spaceName role by choosing the option in the AWS Management Console. In the example policy, the condition for the iam:PassRole action includes the service principals for CodeCatalyst. Only roles with that access will be created in the AWS Management Console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecatalyst:*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-2" } } }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "codecatalyst.amazonaws.com", "codecatalyst-runner.amazonaws.com" ] } } } ] }

Example 3: Deny managing connections

The following permissions policy denies users any ability to manage connections between CodeCatalyst and AWS accounts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecatalyst:*" ], "Resource": "*" } ] }

CodeCatalyst permissions reference

This section provides a permissions reference for actions used with the account connection resource for AWS accounts that are connected to CodeCatalyst. The following section describes permissions-only actions that are related to connecting accounts.

Required permissions for account connections

The following permissions are required for working with account connections.

CodeCatalyst permissions for account connections Required permissions Resources
AcceptConnection Required to accept a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action.

Supports only a wildcard (*) in the policy Resource element.

AssociateIamRoleToConnection Required to associate an IAM role to an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
DeleteConnection Required to delete an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
DisassociateIamRoleFromConnection Required to disassociate an IAM role from an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
GetBillingAuthorization Required to describe the billing authorization for an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
GetConnection Required to get an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
GetPendingConnection Required to get a pending request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action.

Supports only a wildcard (*) in the policy Resource element.

ListConnections Required to list account connections that are not pending. This is an IAM policy permission only, not an API action.

Supports only a wildcard (*) in the policy Resource element.

ListIamRolesForConnection Required to list IAM roles associated with an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
ListTagsForResource Required to list tags associated with an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
PutBillingAuthorization Required to create or update the billing authorization for an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
RejectConnection Required to reject a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action.

Supports only a wildcard (*) in the policy Resource element.

TagResource Required to create or edit tags associated with an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID
UntagResource Required to remove tags associated with an account connection. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/connections/connection_ID

Required permissions for IAM Identity Center applications

The following permissions are required for working with IAM Identity Center applications.

CodeCatalyst permissions for IAM Identity Center applications Required permissions Resources
AssociateIdentityCenterApplicationToSpace Required to associate an IAM Identity Center application with a CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
AssociateIdentityToIdentityCenterApplication Required to associate an identity with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
BatchAssociateIdentitiesToIdentityCenterApplication Required to associate multiple identities with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
BatchDisassociateIdentitiesFromIdentityCenterApplication Required to disassociate multiple identities from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
CreateIdentityCenterApplication Required to create an IAM Identity Center application. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
CreateSpaceAdminRoleAssignment Required to create an administrator role assignment for a given CodeCatalyst space and IAM Identity Center application. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
DeleteIdentityCenterApplication Required to delete an IAM Identity Center application. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
DisassociateIdentityCenterApplicationFromSpace Required to disassociate an IAM Identity Center application from a CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
DisassociateIdentityFromIdentityCenterApplication Required to disassociate an identity from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
GetIdentityCenterApplication Required to get information about an IAM Identity Center application. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
ListIdentityCenterApplications Required to view a list of all IAM Identity Center applications in the account. This is an IAM policy permission only, not an API action.

Supports only a wildcard (*) in the policy Resource element.

ListIdentityCenterApplicationsForSpace Required to view a list of IAM Identity Center applications by CodeCatalyst space. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
ListSpacesForIdentityCenterApplication Required to view a list of CodeCatalyst spaces by IAM Identity Center application. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
SynchronizeIdentityCenterApplication Required to synchronize an IAM Identity Center application with the backing identity store. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID
UpdateIdentityCenterApplication Required to update an IAM Identity Center application. This is an IAM policy permission only, not an API action. arn:aws:codecatalyst:region:account_ID:/identity-center-applications/identity-center-application_ID