Amazon CodeCatalyst is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [How to migrate from CodeCatalyst](migration.md).
# Identity and Access Management and Amazon CodeCatalyst
In Amazon CodeCatalyst, you create and use an AWS Builder ID in order to sign in and access your spaces and projects. An AWS Builder ID is not an identity in AWS Identity and Access Management (IAM) and does not exist in an AWS account. However, CodeCatalyst does integrate with IAM when verifying a space for billing purposes, and when connected to an AWS account to create and use resources in that AWS account.
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use resources. IAM is an AWS service that you can use with no additional charge.
When you create a space in Amazon CodeCatalyst, you must connect an AWS account as the billing account for your space. You must have administrator permissions in the AWS account to verify the CodeCatalyst space, or have the permission. You also have the option to add an IAM role for your space that CodeCatalyst can use to create and access resources in that connected AWS account. This is called a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role). You can choose to create connections to more than one AWS account and create service roles for CodeCatalyst in each of those accounts.
**Note**
Billing for CodeCatalyst takes place in the AWS account designated as the billing account. However, if you create a CodeCatalyst service role in that AWS account or in any other connected AWS account, resources created and used by the CodeCatalyst service role will be billed in that connected AWS account. For more information, see [Managing billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the Amazon CodeCatalyst Administrator Guide.
**Topics**
+ [Identity-based policies in IAM](#id-based-policies)
+ [Policy actions in IAM](#id-based-policies-actions)
+ [Policy resources in IAM](#id-based-policies-resources)
+ [Policy condition keys in IAM](#id-based-policies-conditionkeys)
+ [Identity-based policy examples for CodeCatalyst connections](#id-based-policy-examples)
+ [Using tags to control access to account connection resources](id-based-policy-examples-tags.md)
+ [CodeCatalyst permissions reference](#permissions-reference)
+ [Using service-linked roles for CodeCatalyst](using-service-linked-roles.md)
+ [AWS managed policies for Amazon CodeCatalyst](security-iam-awsmanpol.md)
+ [Grant access to project AWS resources with IAM roles](ipa-iam-roles.md)
## Identity-based policies in IAM
Identity-based policies are JSON permissions policy documents that you can attach to an identity. That identity could be a user, a group of users, or a role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. You can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Identity-based policy examples for CodeCatalyst
To view examples of CodeCatalyst identity-based policies, see [Identity-based policy examples for CodeCatalyst connections](#id-based-policy-examples).
## Policy actions in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform which **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as *permission-only actions* that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called *dependent actions*.
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"prefix:action1",
"prefix:action2"
]
```
## Policy resources in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform which **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). You can do this for actions that support a specific resource type, known as *resource-level permissions*.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
## Policy condition keys in IAM
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform which **actions** on what **resources**, and under what **conditions**.
The `Condition` element (or `Condition` *block*) lets you specify conditions in which a statement is in effect. The `Condition` element is optional. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request.
If you specify multiple `Condition` elements in a statement, or multiple keys in a single `Condition` element, AWS evaluates them using a logical `AND` operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical `OR` operation. All of the conditions must be met before the statement's permissions are granted.
You can also use placeholder variables when you specify conditions. For more information, see [IAM policy elements: variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the *IAM User Guide*.
AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
## Identity-based policy examples for CodeCatalyst connections
In CodeCatalyst, AWS accounts are required to manage billing for a space and to access resources in project workflows. An account connection is used to authorize adding AWS accounts to a space. Identity-based polices are used in the connected AWS accounts.
By default, users and roles don't have permission to create or modify CodeCatalyst resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies for users that require them.
The following example IAM policies grant permissions for actions related to account connections. Use them to limit access for connecting accounts to CodeCatalyst.
### Example 1: Allow a user to accept connection requests in a single AWS Region
The following permissions policy only allows users to view and accept requests for connections between CodeCatalyst and AWS accounts. In addition, the policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. To view and approve the request, the user signs in to the AWS Management Console with the same account as that specified in the request.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:AcceptConnection",
"codecatalyst:GetPendingConnection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-west-2"
}
}
}
]
}
```
------
### Example 2: Allow managing connections in the console for a single AWS Region
The following permissions policy allows users to manage connections between CodeCatalyst and AWS accounts in a single Region. The policy uses a condition to only allow the actions in the us-west-2 Region and not from other AWS Regions. After you create a connection, you can create the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role by choosing the option in the AWS Management Console. In the example policy, the condition for the `iam:PassRole` action includes the service principals for CodeCatalyst. Only roles with that access will be created in the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-west-2"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"codecatalyst.amazonaws.com",
"codecatalyst-runner.amazonaws.com"
]
}
}
}
]
}
```
------
### Example 3: Deny managing connections
The following permissions policy denies users any ability to manage connections between CodeCatalyst and AWS accounts.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecatalyst:*"
],
"Resource": "*"
}
]
}
```
------
# Using tags to control access to account connection resources
Tags can be attached to the resource or passed in the request to services that support tagging. Resources in policies can have tags, and some actions in policies can include tags. Tagging condition keys include the `aws:RequestTag` and `aws:ResourceTag` condition keys. When you create an IAM policy, you can use tag condition keys to control the following:
+ Which users can perform actions on a connection resource, based on tags that it already has.
+ Which tags can be passed in an action's request.
+ Whether specific tag keys can be used in a request.
The following examples demonstrate how to specify tag conditions in policies for CodeCatalyst account connections users. For more information about condition keys, see [Policy condition keys in IAM](security-iam.md#id-based-policies-conditionkeys).
## Example 1: Allow actions based on tags in the request
The following policy grants users permission to approve account connections.
To do that, it allows the `AcceptConnection` and `TagResource` actions if the request specifies a tag named `Project` with the value `ProjectA`. (The `aws:RequestTag` condition key is used to control which tags can be passed in an IAM request.) The `aws:TagKeys` condition ensures tag key case sensitivity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:AcceptConnection",
"codecatalyst:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Project": "ProjectA"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": ["Project"]
}
}
}
]
}
```
------
## Example 2: Allow actions based on resource tags
The following policy grants users permission to perform actions on, and get information about, account connection resources.
To do that, it allows specific actions if the connection has a tag named `Project` with the value `ProjectA`. (The `aws:ResourceTag` condition key is used to control which tags can be passed in an IAM request.)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:GetConnection",
"codecatalyst:DeleteConnection",
"codecatalyst:AssociateIamRoleToConnection",
"codecatalyst:DisassociateIamRoleFromConnection",
"codecatalyst:ListIamRolesForConnection",
"codecatalyst:PutBillingAuthorization"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "ProjectA"
}
}
}
]
}
```
------
## CodeCatalyst permissions reference
This section provides a permissions reference for actions used with the account connection resource for AWS accounts that are connected to CodeCatalyst. The following section describes permissions-only actions that are related to connecting accounts.
### Required permissions for account connections
The following permissions are required for working with account connections.
****
| CodeCatalyst permissions for account connections | Required permissions | Resources |
| --- | --- | --- |
| AcceptConnection | Required to accept a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| AssociateIamRoleToConnection | Required to associate an IAM role to an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| DeleteConnection | Required to delete an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| DisassociateIamRoleFromConnection | Required to disassociate an IAM role from an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| GetBillingAuthorization | Required to describe the billing authorization for an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| GetConnection | Required to get an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| GetPendingConnection | Required to get a pending request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| ListConnections | Required to list account connections that are not pending. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| ListIamRolesForConnection | Required to list IAM roles associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| ListTagsForResource | Required to list tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| PutBillingAuthorization | Required to create or update the billing authorization for an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| RejectConnection | Required to reject a request to connect this account to a CodeCatalyst space. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| TagResource | Required to create or edit tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
| UntagResource | Required to remove tags associated with an account connection. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/connections/connection\$1ID |
### Required permissions for IAM Identity Center applications
The following permissions are required for working with IAM Identity Center applications.
****
| CodeCatalyst permissions for IAM Identity Center applications | Required permissions | Resources |
| --- | --- | --- |
| AssociateIdentityCenterApplicationToSpace | Required to associate an IAM Identity Center application with a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| AssociateIdentityToIdentityCenterApplication | Required to associate an identity with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| BatchAssociateIdentitiesToIdentityCenterApplication | Required to associate multiple identities with an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| BatchDisassociateIdentitiesFromIdentityCenterApplication | Required to disassociate multiple identities from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| CreateIdentityCenterApplication | Required to create an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| CreateSpaceAdminRoleAssignment | Required to create an administrator role assignment for a given CodeCatalyst space and IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| DeleteIdentityCenterApplication | Required to delete an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| DisassociateIdentityCenterApplicationFromSpace | Required to disassociate an IAM Identity Center application from a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| DisassociateIdentityFromIdentityCenterApplication | Required to disassociate an identity from an IAM Identity Center application for a CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| GetIdentityCenterApplication | Required to get information about an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| ListIdentityCenterApplications | Required to view a list of all IAM Identity Center applications in the account. This is an IAM policy permission only, not an API action. | Supports only a wildcard (\$1) in the policy `Resource` element. |
| ListIdentityCenterApplicationsForSpace | Required to view a list of IAM Identity Center applications by CodeCatalyst space. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| ListSpacesForIdentityCenterApplication | Required to view a list of CodeCatalyst spaces by IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| SynchronizeIdentityCenterApplication | Required to synchronize an IAM Identity Center application with the backing identity store. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
| UpdateIdentityCenterApplication | Required to update an IAM Identity Center application. This is an IAM policy permission only, not an API action. | arn:aws:codecatalyst:region:account\$1ID:/identity-center-applications/identity-center-application\$1ID |
# Using service-linked roles for CodeCatalyst
Amazon CodeCatalyst uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to CodeCatalyst. Service-linked roles are predefined by CodeCatalyst and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up CodeCatalyst easier because you don’t have to manually add the necessary permissions. CodeCatalyst defines the permissions of its service-linked roles, and unless defined otherwise, only CodeCatalyst can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your CodeCatalyst resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for CodeCatalyst
CodeCatalyst uses the service-linked role named **AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization** – Allows Amazon CodeCatalyst read-only access to application instance profiles and associated directory users and groups on your behalf.
The AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization service-linked role trusts the following services to assume the role:
+ `codecatalyst.amazonaws.com`
The role permissions policy named AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy allows CodeCatalyst to complete the following actions on the specified resources:
+ Action: `View application instance profiles and associated directory users and groups` for `CodeCatalyst spaces that support identity federation and SSO users and groups`
You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for CodeCatalyst
You don't need to manually create a service-linked role. When you create a space in the AWS Management Console, the AWS CLI, or the AWS API, CodeCatalyst creates the service-linked role for you.
**Important**
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the CodeCatalyst service before November 17, 2023, when it began supporting service-linked roles, then CodeCatalyst created the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization role in your account. To learn more, see [A new role appeared in my AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a space, CodeCatalyst creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **View application instance profiles and associated directory users and groups** use case. In the AWS CLI or the AWS API, create a service-linked role with the `codecatalyst.amazonaws.com` service name. For more information, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for CodeCatalyst
CodeCatalyst does not allow you to edit the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for CodeCatalyst
You don't need to manually delete the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization role. When you delete a space in the AWS Management Console, the AWS CLI, or the AWS API, CodeCatalyst cleans up the resources and deletes the service-linked role for you.
You can also use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role. To do this, you must first manually clean up the resources for your service-linked role and then you can manually delete it.
**Note**
If the CodeCatalyst service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete CodeCatalyst resources used by the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization**
+ [Delete the space](https://docs.aws.amazon.com/codecatalyst/latest/userguide/spaces-delete.htm).
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for CodeCatalyst service-linked roles
CodeCatalyst supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
CodeCatalyst does not support using service-linked roles in every Region where the service is available. You can use the AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronization role in the following Regions.
****
| Region name | Region identity | Support in CodeCatalyst |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | No |
| US East (Ohio) | us-east-2 | No |
| US West (N. California) | us-west-1 | No |
| US West (Oregon) | us-west-2 | Yes |
| Africa (Cape Town) | af-south-1 | No |
| Asia Pacific (Hong Kong) | ap-east-1 | No |
| Asia Pacific (Jakarta) | ap-southeast-3 | No |
| Asia Pacific (Mumbai) | ap-south-1 | No |
| Asia Pacific (Osaka) | ap-northeast-3 | No |
| Asia Pacific (Seoul) | ap-northeast-2 | No |
| Asia Pacific (Singapore) | ap-southeast-1 | No |
| Asia Pacific (Sydney) | ap-southeast-2 | No |
| Asia Pacific (Tokyo) | ap-northeast-1 | No |
| Canada (Central) | ca-central-1 | No |
| Europe (Frankfurt) | eu-central-1 | No |
| Europe (Ireland) | eu-west-1 | Yes |
| Europe (London) | eu-west-2 | No |
| Europe (Milan) | eu-south-1 | No |
| Europe (Paris) | eu-west-3 | No |
| Europe (Stockholm) | eu-north-1 | No |
| Middle East (Bahrain) | me-south-1 | No |
| Middle East (UAE) | me-central-1 | No |
| South America (São Paulo) | sa-east-1 | No |
| AWS GovCloud (US-East) | us-gov-east-1 | No |
| AWS GovCloud (US-West) | us-gov-west-1 | No |
# AWS managed policies for Amazon CodeCatalyst
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AmazonCodeCatalystSupportAccess
This is a policy that grants permissions for all space administrators and space members to utilize the Business or Enterprise premium support plan associated with the space billing account. These permissions allow space administrators and members to utilitze the premium support plan for the resources they have permissions to within CodeCatalyst permissions policies.
**Permissions details**
This policy includes the following permissions.
+ `support` – Grants permissions to allow users to search for, create, and resolve AWS Support cases. Also grants permissions to describe communications, severity levels, attachments, and related support case details.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"support:DescribeAttachment",
"support:DescribeCaseAttributes",
"support:DescribeCases",
"support:DescribeCommunications",
"support:DescribeIssueTypes",
"support:DescribeServices",
"support:DescribeSeverityLevels",
"support:DescribeSupportLevel",
"support:SearchForCases",
"support:AddAttachmentsToSet",
"support:AddCommunicationToCase",
"support:CreateCase",
"support:InitiateCallForCase",
"support:InitiateChatForCase",
"support:PutCaseAttributes",
"support:RateCaseCommunication",
"support:ResolveCase"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonCodeCatalystFullAccess
This is a policy that grants permissions to manage your CodeCatalyst space and connected accounts in the Amazon CodeCatalyst Spaces page in the AWS Management Console. This application is used to configure AWS accounts that are connected to your space in CodeCatalyst.
**Permissions details**
This policy includes the following permissions.
+ `codecatalyst` – Grants full permissions to the Amazon CodeCatalyst Spaces page in the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CodeCatalystResourceAccess",
"Effect": "Allow",
"Action": [
"codecatalyst:*",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "CodeCatalystAssociateIAMRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"codecatalyst.amazonaws.com",
"codecatalyst-runner.amazonaws.com"
]
}
}
}
]
}
```
------
## AWS managed policy: AmazonCodeCatalystReadOnlyAccess
This is a policy that grants permissions to view and list information for spaces and connected accounts in the Amazon CodeCatalyst Spaces page in the AWS Management Console. This application is used to configure AWS accounts that are connected to your space in CodeCatalyst.
**Permissions details**
This policy includes the following permissions.
+ `codecatalyst` – Grants read-only permissions to the Amazon CodeCatalyst Spaces page in the AWS Management Console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecatalyst:Get*",
"codecatalyst:List*"
],
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy
You can't attach AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy; to your IAM entities. This policy is attached to a service-linked role that allows CodeCatalyst to perform actions on your behalf. For more information, see [Using service-linked roles for CodeCatalyst](using-service-linked-roles.md).
This policy allows customers to view application instance profiles and associated directory users and groups when managing spaces in CodeCatalyst. Customers will view these resources when managing spaces that support identity federation and SSO users and groups.
**Permissions details**
This policy includes the following permissions.
+ `sso` – Grants permissions to allow users to view application instance profiles that are managed in IAM Identity Center for associated spaces in CodeCatalyst.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy",
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:ListApplications",
"sso:ListApplicationAssignments",
"sso:DescribeInstance",
"sso:DescribeApplication"
],
"Resource": "*"
}
]
}
```
------
## CodeCatalyst updates to AWS managed policies
View details about updates to AWS managed policies for CodeCatalyst since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the CodeCatalyst [Document history](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy](#security-iam-awsmanpol-AmazonCodeCatalystServiceRoleForIdentityCenterApplicationSynchronizationPolicy) – New policy | CodeCatalyst added the policy. Grants permissions to allow CodeCatalyst users to view application instance profiles and associated directory users and groups. | November 17, 2023 |
| [AmazonCodeCatalystSupportAccess](#security-iam-awsmanpol-AmazonCodeCatalystSupportAccess) – New policy | CodeCatalyst added the policy. Grants permissions to allow CodeCatalyst users to search for, create, and resolve support cases, as well as viewing related communications and details. | April 20, 2023 |
| [AmazonCodeCatalystFullAccess](#security-iam-awsmanpol-AmazonCodeCatalystFullAccess) – New policy | CodeCatalyst added the policy. Grants full access to CodeCatalyst. | April 20, 2023 |
| [AmazonCodeCatalystReadOnlyAccess](#security-iam-awsmanpol-AmazonCodeCatalystReadOnlyAccess) – New policy | CodeCatalyst added the policy. Grants read-only access to CodeCatalyst. | April 20, 2023 |
| CodeCatalyst started tracking changes | CodeCatalyst started tracking changes for its AWS managed policies. | April 20, 2023 |
# Grant access to project AWS resources with IAM roles
CodeCatalyst can access AWS resources by connecting your AWS account to a CodeCatalyst space. You can then create the following service roles and associate them when you connect your account.
For more information about the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
+ To access resources in an AWS account for your CodeCatalyst projects and workflows, you must first grant permission for CodeCatalyst to access those resources on your behalf. To do so, you must create a service role in a connected AWS account that CodeCatalyst can assume on behalf of users and projects in the space. You can either choose to create and use the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create customized service roles and configure these IAM policies and roles manually. As a best practice, assign these roles the least amount of permissions necessary.
**Note**
For customized service roles, the CodeCatalyst service principal is required. For more information about the CodeCatalyst service principal and trust model, see [Understanding the CodeCatalyst trust model](trust-model.md).
+ To manage support for a space through the connected AWS account, you can choose to create and use the **AWSRoleForCodeCatalystSupport** service role that allows CodeCatalyst users to access support. For more information about support for a CodeCatalyst space, see [Support for Amazon CodeCatalyst](support.md).
## Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role
You can add an IAM role for your space that CodeCatalyst can use to create and access resources in a connected AWS account. This is called a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role). The simplest way to create a service role is to add one when you create the space and to choose the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** option for that role. This not only creates the service role with the `AdministratorAccess` attached, but it also creates the trust policy that allows CodeCatalyst to assume the role on behalf of users in projects in the space. The service role is scoped to the space, not to individual projects. To create this role, see [Creating the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role for your account and space](#ipa-iam-roles-service-create). You can only create one role for each space in each account.
**Note**
This role is only recommended for use with development accounts and uses the `AdministratorAccess` AWS managed policy, giving it full access to create new policies and resources in this AWS account.
The policy attached to the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role is designed to work with projects created with blueprints in the space. It allows users in those projects to develop, build, test, and deploy code using resources in the connected AWS account. For more information, see [Creating a role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
The policy attached to the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role is the `AdministratorAccess` managed policy in AWS. This is a policy that grants full access to all AWS actions and resources. To view the JSON policy document in the IAM console, see [AdministratorAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess).
The following trust policy allows CodeCatalyst to assume the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role. For more information about the CodeCatalyst trust model, see [Understanding the CodeCatalyst trust model](trust-model.md).
```
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codecatalyst-runner.amazonaws.com",
"codecatalyst.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:codecatalyst:::space/spaceId/project/*"
}
}
}
]
```
## Creating the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role for your account and space
Follow these steps to create the `CodeCatalystWorkflowDevelopmentRole-spaceName` role that will be used for workflows in your space. For each account that you want to have IAM roles for use in projects, to your space, you must add a role such as the developer role.
Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see [Allowing access to AWS resources with connected AWS accounts](ipa-connect-account.md).
**To create and add the CodeCatalyst **CodeCatalystWorkflowDevelopmentRole-*spaceName*****
1. Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Choose the link for the AWS account where you want to create the role. The **AWS account details** page displays.
1. Choose **Manage roles from AWS Management Console**.
The **Add IAM role to Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst spaces** page. You might need to log in to access the page.
1. Choose **Create CodeCatalyst development administrator role in IAM**. This option creates a service role that contains the permissions policy and trust policy for the development role. The role will have a name `CodeCatalystWorkflowDevelopmentRole-spaceName`. For more information about the role and role policy, see [Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role](#ipa-iam-roles-service-role).
**Note**
This role is only recommended for use with developer accounts and uses the `AdministratorAccess` AWS managed policy, giving it full access to create new policies and resources in this AWS account.
1. Choose **Create development role**.
1. On the connections page, under **IAM roles available to CodeCatalyst**, view the `CodeCatalystWorkflowDevelopmentRole-spaceName` role in the list of IAM roles added to your account.
1. To return to your space, choose **Go to Amazon CodeCatalyst**.
## Understanding the **AWSRoleForCodeCatalystSupport** service role
You can add an IAM role for your space that CodeCatalyst users in a space can use to create and access support cases. This is called a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) for support.The simplest way to create a service role for support is to add one when you create the space and to choose the `AWSRoleForCodeCatalystSupport` option for that role. This not only creates the policy and the role, but it also creates the trust policy that allows CodeCatalyst to assume the role on behalf of users in projects in the space. The service role is scoped to the space, not to individual projects. To create this role, see [Creating the **AWSRoleForCodeCatalystSupport** role for your account and space](#ipa-iam-roles-support-create).
The policy attached to the `AWSRoleForCodeCatalystSupport` role is managed policy that provides access to support permissions. For more information, see [AWS managed policy: AmazonCodeCatalystSupportAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonCodeCatalystSupportAccess).
The trust role for the policy allows CodeCatalyst to assume the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codecatalyst.amazonaws.com",
"codecatalyst-runner.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
## Creating the **AWSRoleForCodeCatalystSupport** role for your account and space
Follow these steps to create the `AWSRoleForCodeCatalystSupport` role that will be used for support cases in your space. The role must be added to the designated billing account for the space.
Before you begin, you must have administrative privileges for your AWS account or be able to work with your administrator. For more information about how AWS accounts and IAM roles are used in CodeCatalyst, see [Allowing access to AWS resources with connected AWS accounts](ipa-connect-account.md).
**To create and add the CodeCatalyst **AWSRoleForCodeCatalystSupport****
1. Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.
1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.
1. Choose the link for the AWS account where you want to create the role. The **AWS account details** page displays.
1. Choose **Manage roles from AWS Management Console**.
The **Add IAM role to Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to sign in to access the page.
1. Under **CodeCatalyst space details**, choose **Add CodeCatalyst Support role**. This option creates a service role that contains the permissions policy and trust policy for the preview development role. The role will have a name **AWSRoleForCodeCatalystSupport** with a unique identifier appended. For more information about the role and role policy, see [Understanding the **AWSRoleForCodeCatalystSupport** service role](#ipa-iam-roles-support-role).
1. On the **Add role for CodeCatalyst Support** page, leave the default selected, and then choose **Create role**.
1. Under **IAM roles available to CodeCatalyst**, view the `CodeCatalystWorkflowDevelopmentRole-spaceName` role in the list of IAM roles added to your account.
1. To return to your space, choose **Go to Amazon CodeCatalyst**.
## Configuring IAM roles for workflow actions in CodeCatalyst
This section details IAM roles and policies that you can create to use with your CodeCatalyst account. For instructions to create example roles, see [Creating roles manually for workflow actions](#ipa-iam-roles-actions). After you create your IAM role, copy the role ARN to add the IAM role to your account connection and associate it with your project environment. To learn more, see [Adding IAM roles to account connections](ipa-connect-account-addroles.md).
### CodeCatalyst build role for Amazon S3 access
For CodeCatalyst workflow build actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role named **CodeCatalystBuildRoleforS3Access**. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Write to Amazon S3 buckets.
+ Support building of resources with CloudFormation. This requires Amazon S3 access.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst build role for CloudFormation
For CodeCatalyst workflow build actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Support building of resources with CloudFormation. This is required along with the CodeCatalyst build role for Amazon S3 access and the CodeCatalyst deploy role for CloudFormation.
The following AWS managed policies should be attached to this role:
+ **AWSCloudFormationFullAccess**
+ **IAMFullAccess**
+ **AmazonS3FullAccess**
+ **AmazonAPIGatewayAdministrator**
+ **AWSLambdaFullAccess**
### CodeCatalyst build role for CDK
For CodeCatalyst workflows that run CDK build actions, such as Modern three-tier web application, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to bootstrap and run CDK build commands for CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Write to Amazon S3 buckets.
+ Support building of CDK constructs and CloudFormation resource stacks. This requires access to Amazon S3 for artifact storage, Amazon ECR for image repository support, and SSM for system governance and monitoring for virtual instances.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for CloudFormation
For CodeCatalyst workflow deploy actions that use CloudFormation, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can use a policy with scoped permissions that CodeCatalyst needs to run tasks on CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Allow CodeCatalyst to invoke a Λ function to perform blue/green deployment through CloudFormation.
+ Allow CodeCatalyst to create and update stacks and changesets in CloudFormation.
This role uses the following policy:
```
{"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:List*",
"iam:PassRole"
],
"Resource": "resource_ARN",
"Effect": "Allow"
}
```
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Amazon EC2
CodeCatalyst workflow deploy actions use an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources in your AWS account. The default policy for the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role does not include permissions for Amazon EC2 or Amazon EC2 Auto Scaling.
This role gives permissions to do the following:
+ Create Amazon EC2 deployments.
+ Read the tags on an instance or identify an Amazon EC2 instance by Auto Scaling group names.
+ Read, create, update, and delete Amazon EC2 Auto Scaling groups, lifecycle hooks, and scaling policies.
+ Publish information to Amazon SNS topics.
+ Retrieve information about CloudWatch alarms.
+ Read and update Elastic Load Balancing.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Amazon ECS
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. You can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.
This role gives permissions to do the following:
+ Initiate rolling Amazon ECS deployment on behalf of a CodeCatalyst user, in an account specified in the CodeCatalyst connection.
+ Read, update, and delete Amazon ECS task sets.
+ Update Elastic Load Balancing target groups, listeners, and rules.
+ Invoke Lambda functions.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
This role uses the following policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Action":[
"ecs:DescribeServices",
"ecs:CreateTaskSet",
"ecs:DeleteTaskSet",
"ecs:ListClusters",
"ecs:RegisterTaskDefinition",
"ecs:UpdateServicePrimaryTaskSet",
"ecs:UpdateService",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:ModifyRule",
"lambda:InvokeFunction",
"lambda:ListFunctions",
"cloudwatch:DescribeAlarms",
"sns:Publish",
"sns:ListTopics",
"s3:GetObject",
"s3:GetObjectVersion",
"codedeploy:CreateApplication",
"codedeploy:CreateDeployment",
"codedeploy:CreateDeploymentGroup",
"codedeploy:GetApplication",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentGroup",
"codedeploy:ListApplications",
"codedeploy:ListDeploymentGroups",
"codedeploy:ListDeployments",
"codedeploy:StopDeployment",
"codedeploy:GetDeploymentTarget",
"codedeploy:ListDeploymentTargets",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetApplicationRevision",
"codedeploy:RegisterApplicationRevision",
"codedeploy:BatchGetApplicationRevisions",
"codedeploy:BatchGetDeploymentGroups",
"codedeploy:BatchGetDeployments",
"codedeploy:BatchGetApplications",
"codedeploy:ListApplicationRevisions",
"codedeploy:ListDeploymentConfigs",
"codedeploy:ContinueDeployment"
],
"Resource":"*",
"Effect":"Allow"
},{"Action":[
"iam:PassRole"
],
"Effect":"Allow",
"Resource":"*",
"Condition":{"StringLike":{"iam:PassedToService":[
"ecs-tasks.amazonaws.com",
"codedeploy.amazonaws.com"
]
}
}
}]
}
```
------
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Lambda
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. You can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or or you create an IAM role for CodeCatalyst deploy actions to use for Lambda deployments. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions to do the following:
+ Read, update, and invoke Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch Events alarms.
+ Publish information to Amazon SNS topics.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for Lambda
For CodeCatalyst workflow actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions to do the following:
+ Read, update, and invoke Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
+ Publish information to Amazon SNS topics.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst deploy role for AWS SAM
For CodeCatalyst workflow actions, you can use the default **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role, or you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on AWS SAM and CloudFormation resources in your AWS account.
This role gives permissions to do the following:
+ Allow CodeCatalyst to invoke a Lambda function to perform deployment of serverless and AWS SAM CLI applications.
+ Allow CodeCatalyst to create and update stacks and changesets in CloudFormation.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst read only role for Amazon EC2
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon EC2 resources in your AWS account. The **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role does not include permissions for Amazon EC2 or the described actions for Amazon CloudWatch.
This role gives permissions to do the following:
+ Get status of Amazon EC2 instances.
+ Get CloudWatch metrics for Amazon EC2 instances.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst read only role for Amazon ECS
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Amazon ECS resources in your AWS account.
This role gives permissions to do the following:
+ Read Amazon ECS task sets.
+ Retrieve information about CloudWatch alarms.
This role uses the following policy:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
### CodeCatalyst read only role for Lambda
For CodeCatalyst workflow actions, you can create an IAM role with the necessary permissions. This role uses a policy with scoped permissions that CodeCatalyst needs to run tasks on Lambda resources in your AWS account.
This role gives permissions for the following:
+ Read Lambda functions and aliases.
+ Access revision files in Amazon S3 buckets.
+ Retrieve information about CloudWatch alarms.
This role uses the following policy.
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
## Creating roles manually for workflow actions
CodeCatalyst workflow actions use IAM roles that you create called the **build role**, the **deploy role**, and the **stack role**.
Follow these steps to create these roles in IAM.
**To create a deploy role**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-deploy-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the deploy role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. In **Permissions policies**, search for `codecatalyst-deploy-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-deploy-role
```
1. For **Role description**, enter:
```
CodeCatalyst deploy role
```
1. Choose **Create role**.
You have now created a deploy role with a trust policy and permissions policy.
1. Obtain the deploy role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-deploy-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the deploy role with the appropriate permissions, and obtained its ARN.
**To create a build role**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-build-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. In **Permissions policies**, search for `codecatalyst-build-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-build-role
```
1. For **Role description**, enter:
```
CodeCatalyst build role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-build-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
**To create a stack role**
**Note**
You don't have to create a stack role, although doing so is recommended for security reasons. If you don't create the stack role, you'll need to add the permissions policies described further on in this procedure to the deploy role.
1. Sign in to AWS using the account where you want to deploy your stack.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**. and then choose **Create role**.
1. At the top, choose **AWS service**.
1. From the list of services, choose **CloudFormation**.
1. Choose **Next: Permissions**.
1. In the search box, add any policies that are required to access the resources in your stack. For example, if your stack includes an AWS Lambda function, you need to add a policy that grants access to Lambda.
**Tip**
If you're unsure which policies to add, you can omit them for now. When you test the action, if you don't have the right permissions, CloudFormation generates errors that show which permissions you need to add.
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. For **Role name**, enter:
```
codecatalyst-stack-role
```
1. Choose **Create role**.
1. To obtain the stack role's ARN, do the following:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-stack-role`).
1. Choose the role from the list.
1. On the **Summary** page, copy the **Role ARN** value.
## Using AWS CloudFormation to create policies and roles in IAM
You can choose to create and use AWS CloudFormation templates to create the policies and roles you need to access resources in an AWS account for your CodeCatalyst projects and workflows. CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run on AWS. If you intend to create roles in multiple AWS accounts, creating a template can help you perform this task more quickly.
The following example template creates a deploy action role and policy.
```
Parameters:
CodeCatalystAccountId:
Type: String
Description: Account ID from the connections page
ExternalId:
Type: String
Description: External ID from the connections page
Resources:
CrossAccountRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref CodeCatalystAccountId
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
Path: /
Policies:
- PolicyName: CodeCatalyst-CloudFormation-action-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'cloudformation:CreateStack'
- 'cloudformation:DeleteStack'
- 'cloudformation:Describe*'
- 'cloudformation:UpdateStack'
- 'cloudformation:CreateChangeSet'
- 'cloudformation:DeleteChangeSet'
- 'cloudformation:ExecuteChangeSet'
- 'cloudformation:SetStackPolicy'
- 'cloudformation:ValidateTemplate'
- 'cloudformation:List*'
- 'iam:PassRole'
Resource: '*'
```
## Creating the role manually for the web application blueprint
The CodeCatalyst web application blueprint uses IAM roles that you create called the **build role for CDK**, the **deploy role**, and the **stack role**.
Follow these steps to create the role in IAM.
**To create a build role**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create Policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-webapp-build-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. Attach the permissions policy to the build role. On the **Add permissions** page, in the **Permissions policies** section, search for `codecatalyst-webapp-build-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-webapp-build-role
```
1. For **Role description**, enter:
```
CodeCatalyst Web app build role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Attach the permissions policy to the build role, as follows:
1. In the navigation pane, choose **Roles**, and then search for `codecatalyst-webapp-build-role`.``
1. Choose `codecatalyst-webapp-build-role` to display its details.``
1. In the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.
1. Search for `codecatalyst-webapp-build-policy`, select its check box, and then choose **Attach policies**.
You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-webapp-build-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
## Creating roles manually for the SAM blueprint
The CodeCatalyst SAM blueprint uses IAM roles that you create called the **build role for CloudFormation** and the **deploy role for SAM**.
Follow these steps to create the roles in IAM.
**To create a build role for CloudFormation**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create Policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"cloudformation:*"
],
"Resource": "*"
}
]
}
```
------
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-SAM-build-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. Attach the permissions policy to the build role. On the **Add permissions** page, in the **Permissions policies** section, search for `codecatalyst-SAM-build-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-SAM-build-role
```
1. For **Role description**, enter:
```
CodeCatalyst SAM build role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Attach the permissions policy to the build role, as follows:
1. In the navigation pane, choose **Roles**, and then search for `codecatalyst-SAM-build-role`.``
1. Choose `codecatalyst-SAM-build-role` to display its details.``
1. In the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.
1. Search for `codecatalyst-SAM-build-policy`, select its check box, and then choose **Attach policies**.
You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-SAM-build-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.
**To create a deploy role for SAM**
1. Create a policy for the role, as follows:
1. Sign in to AWS.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose **Create Policy**.
1. Choose the **JSON** tab.
1. Delete the existing code.
1. Paste the following code:
**Note**
The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available.
```
"Resource": "*"
```
1. Choose **Next: Tags**.
1. Choose **Next: Review**.
1. In **Name**, enter:
```
codecatalyst-SAM-deploy-policy
```
1. Choose **Create policy**.
You have now created a permissions policy.
1. Create the build role, as follows:
1. In the navigation pane, choose **Roles**, and then choose **Create role**.
1. Choose **Custom trust policy**.
1. Delete the existing custom trust policy.
1. Add the following custom trust policy:
1. Choose **Next**.
1. Attach the permissions policy to the build role. On the **Add permissions** page, in the **Permissions policies** section, search for `codecatalyst-SAM-deploy-policy` and select its check box.
1. Choose **Next**.
1. For **Role name**, enter:
```
codecatalyst-SAM-deploy-role
```
1. For **Role description**, enter:
```
CodeCatalyst SAM deploy role
```
1. Choose **Create role**.
You have now created a build role with a trust policy and permissions policy.
1. Attach the permissions policy to the build role, as follows:
1. In the navigation pane, choose **Roles**, and then search for `codecatalyst-SAM-deploy-role`.``
1. Choose `codecatalyst-SAM-deploy-role` to display its details.``
1. In the **Permissions** tab, choose **Add permissions**, and then choose **Attach policies**.
1. Search for `codecatalyst-SAM-deploy-policy`, select its check box, and then choose **Attach policies**.
You have now attached the permissions policy to the build role. The build role now has two policies: a permissions policy and a trust policy.
1. Obtain the build role ARN, as follows:
1. In the navigation pane, choose **Roles**.
1. In the search box, enter the name of the role you just created (`codecatalyst-SAM-deploy-role`).
1. Choose the role from the list.
The role's **Summary** page appears.
1. At the top, copy the **ARN** value.
You have now created the build role with the appropriate permissions, and obtained its ARN.