Amazon CodeCatalyst is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [How to migrate from CodeCatalyst](migration.md).

# Organize resources with spaces in CodeCatalyst
<a name="spaces"></a>

You create a space that represents you, your company, department, or group, and provides a place where your development teams can manage projects. You must create a space to add projects, members, and the associated cloud resources you create in Amazon CodeCatalyst. 

**Note**  
Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.

When you create a space, you are automatically assigned the **Space administrator** role. You can add this role to other users in the space. 

With the **Space administrator** role, you can manage the space as follows:
+ Add other space administrators to the space
+ Change member roles and permissions
+ Edit or delete the space
+ Create projects and invite members to the project
+ View a list of all projects in the space
+ View the activity feed for all projects in the space

When you create a space, you are automatically added to the space with two roles: the **Space administrator** role, and the **Project administrator** role for the project you created as part of creating the space. Additional users are added as members to the space automatically when they accept invitations to projects. This membership in the space does not grant any permissions in the space. What users can do in a space is determined by the role the user has in a specific project.

For more information about roles, see [Granting access with user roles](ipa-roles.md).

![\[Diagram showing how spaces share members and resources across projects while all projects return activity data to the space level\]](http://docs.aws.amazon.com/codecatalyst/latest/userguide/images/spaces/spaces-flow.png)


The following are additional considerations for added accounts: 
+ AWS accounts added to a CodeCatalyst space can be used in any project in that space.
+ While each environment can support multiple AWS accounts, you can only use one account per environment in an action.
+ Billing is configured at the space level. Multiple accounts can be configured for billing, but only one can be active in a CodeCatalyst space. An AWS account can be used as a billing account for more than one space in CodeCatalyst. The AWS account that is specified as the billing account for your CodeCatalyst space has different quotas from other account connections for a space. For more information, see [Quotas for CodeCatalyst](quotas.md).
+ After you create a connection, you must add AWS IAM roles to your connection if your workflow must access those IAM roles with your CodeCatalyst environment. For more information about how environments are used, see [Deploying into AWS accounts and VPCs](deploy-environments.md).

**Topics**
+ [Creating a space](spaces-create.md)
+ [Editing a space](spaces-edit.md)
+ [Deleting a space](spaces-delete.md)
+ [Monitoring activity for users and resources in a space](spaces-activity.md)
+ [Allowing access to AWS resources with connected AWS accounts](ipa-connect-account.md)
+ [Configuring IAM roles for connected accounts](spaces-manage-roles.md)
+ [Granting users space permissions](spaces-members.md)
+ [Allowing space access using teams](managing-teams.md)
+ [Allowing space access for machine resources](managing-machine-resources.md)
+ [Administering Dev Environments for a space](spaces-devenv.md)
+ [Quotas for spaces](spaces-quotas-limits.md)

# Creating a space
<a name="spaces-create"></a>

When you first sign up in Amazon CodeCatalyst with your AWS Builder ID, you are required to create a space. For more information, see [Set up and sign in to CodeCatalystSet up and sign in to CodeCatalyst](setting-up-topnode.md). You can choose to create additional spaces to meet your business needs. 

**Note**  
Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.

The information in this guide is provided for creating spaces in CodeCatalyst that support AWS Builder ID users. The steps to set up and administer a space that supports identity federation are provided in the *CodeCatalyst Administrator Guide*. To work with spaces that are set up for identity federation, see [Setup and administration for CodeCatalyst spaces](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/what-is.html) in the *Amazon CodeCatalyst Administrator Guide*.

To create additional spaces that support AWS Builder ID users, you must be assigned the Space administrator role.

**Note**  
When you create an additional space, you are not prompted to create a project. To learn how to create projects in a space, see [Creating a project](projects-create.md). <a name="space-create-additional"></a>

**To create another space**

1. In the AWS Management Console, make sure you are signed in with the same AWS account that you want to associate with your CodeCatalyst space.

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Create space**.

1. On the **Create a space** page, in **Space name**, enter a name for the space. You cannot change this later.
**Note**  
Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.

1. In **AWS Region**, choose the Region where you want to store your space and project data. You cannot change this later.

1. In **AWS account ID**, enter the twelve-digit ID for the account you want to connect to your space.

   In **AWS account verification token**, copy the generated token ID. The token is automatically copied for you, but you might want to store it while you approve the AWS connection request.

1. Choose **Verify in AWS**.

1. The **Verify Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to sign in to access the page.

   In the AWS Management Console, make sure to choose the same AWS Region where you want to create your space.

   To directly access the page, sign in to the Amazon CodeCatalyst Spaces in the AWS Management Console at https://console.aws.amazon.com/codecatalyst/home/.

   The verification token is automatically entered in **Verification token**. A success banner shows a message that the token is a valid token.

1. Choose **Verify space**.

   An **Account verified** success message displays to show that the account has been added to the space.

1. Remain on the **Verify Amazon CodeCatalyst space** page. Choose the following link: **To add IAM roles for this space, view space details.**

   The **CodeCatalyst space details** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to log in to access the page.

1. Under **IAM roles available to CodeCatalyst**, choose **Add IAM role**. 

   The **Add IAM roles available to CodeCatalyst** page displays.

1. Choose **Create CodeCatalyst development administrator role in IAM**. This option creates a service role that contains the permissions policy and trust policy for the development role. 

   The developer role is an AWS IAM role that enables your CodeCatalyst workflows to access AWS resources such as Amazon S3, Lambda, and CloudFormation. The role will have a name `CodeCatalystWorkflowDevelopmentRole-spaceName` with a unique identifier appended. For more information about the role and role policy, see [Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role](ipa-iam-roles.md#ipa-iam-roles-service-role).

1. Choose **Create development role**.

1. On the connection page, under **IAM roles available to CodeCatalyst**, view the developer role in the list of IAM roles added to your account.

1. Choose **Go to Amazon CodeCatalyst**.

1. On the creation page in CodeCatalyst, choose **Create space**.

# Editing a space
<a name="spaces-edit"></a>

You can change the description of a space to help users better understand what it's for.

You must have the **Space administrator** role to edit space details.

The information in this guide is provided for editing spaces in CodeCatalyst that support AWS Builder ID users. To learn more about the steps to set up and administer a space that supports identity federation, see [Setup and administration for CodeCatalyst spaces](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/what-is.html) in the *Amazon CodeCatalyst Administrator Guide*.<a name="spaces-edit-console"></a>

**To edit a space description**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. On the **Space settings** tab, choose **Edit**. Make the changes you want to the space description, and then choose **Save**.

# Deleting a space
<a name="spaces-delete"></a>

You can delete a space to remove access to all of the space's resources. You must have the **Space administrator** role to delete a space.

**Note**  
You cannot undo a space deletion.

After you have deleted a space, all space members will be unable to access space resources. Billing for space resources will also stop, and any workflows that are prompted by third-party source repositories will be stopped.

**Note**  
Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.

The information in this guide is provided for deleting spaces in CodeCatalyst that support AWS Builder ID users. To learn more about the steps to set up and administer a space that supports identity federation, see [Setup and administration for CodeCatalyst spaces](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/what-is.html) in the *Amazon CodeCatalyst Administrator Guide*.

**To delete a space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Delete**.

1. Type **delete** to confirm the deletion.

1. Choose **Delete**.
**Note**  
If you belong to more than one space, you're redirected to the space overview page. If you belong to one space, you're redirected to the space creation page.

# Monitoring activity for users and resources in a space
<a name="spaces-activity"></a>

To see recently created projects and status updates, you can use the CodeCatalyst console to view an activity feed that shows updates for space resources.

In the activity feed, you can view metrics such as failed workflow runs and created projects.

**To view activity in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Activity**.

1. View the information in **Activity**. 

1. To filter by activity, choose the selector on the upper right.

1. To view all activity in your space, choose **Any activity type**.

# Allowing access to AWS resources with connected AWS accounts
<a name="ipa-connect-account"></a>

You can use resources from your AWS accounts in Amazon CodeCatalyst spaces. To do so, you must set up a connection between the AWS accounts and your space in CodeCatalyst. Creating a connection like this means that projects and workflows within your CodeCatalyst space can interact with resources in your AWS accounts. You must create one connection for each AWS account you want to use with your CodeCatalyst space.

After you create a connection, you can choose to associate AWS IAM roles with it.

**Topics**
+ [Adding an AWS account to a space](ipa-connect-account-create.md)
+ [Adding IAM roles to account connections](ipa-connect-account-addroles.md)
+ [Adding the account connection and IAM roles to your deploy environment](ipa-connect-account-addroles-env.md)
+ [Viewing account connections](ipa-connect-account-list.md)
+ [Deleting account connections (in CodeCatalyst)](ipa-connect-account-delete.md)
+ [Configuring a billing account for a space](connect-account-billing-ref.md)

You can set up CodeCatalyst to use authorized AWS accounts by adding the accounts to your space. By adding AWS accounts to your CodeCatalyst space, you can give your project workflows access to AWS account resources and your billing configuration.

Adding an AWS account creates a connection that authorizes CodeCatalyst to use this account. You can use added AWS accounts to do the following:
+ Set up billing for a CodeCatalyst space. See [Managing billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the Amazon CodeCatalyst Administrator Guide. The AWS account that is specified as the billing account for your CodeCatalyst space has different quotas from other account connections for a space. For more information, see [Quotas for CodeCatalyst](quotas.md).
+ Allow CodeCatalyst to assume IAM roles to access AWS resources and deploy to AWS services in the account. See [Configuring IAM roles for connected accounts](spaces-manage-roles.md).

Account connections are created by completing authorization with the AWS account. After the connection is created, you further configure the connection for workflows and projects to use by adding IAM roles.

For the steps to configure account connections in the AWS Management Console page for CodeCatalyst as the administrator for the AWS account and the space, see [Managing connected accounts](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the *CodeCatalyst Administrator Guide*. Account connections can be configured for restriction to specific projects. You can only associate workflows or VPC connections with an AWS account that has access to your project. For more information, see [Configuring project-restricted account connections](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-accounts.html#managing-accounts-restriction).

# Adding an AWS account to a space
<a name="ipa-connect-account-create"></a>

You use the CodeCatalyst console and the AWS Management Console to connect your space to an AWS account.

Before adding an AWS account to a space in CodeCatalyst, complete the following prerequisites:
+ Create an AWS account and acquire permissions to create AWS IAM roles in the account you want to connect.
+ Create the IAM role or roles you want to associate with your account connection, including the IAM policies with permissions for the roles.
+ Acquire the **Space administrator** role in the CodeCatalyst space where you want to create the connection.

**Topics**
+ [Step 1: Creating a connection request](#ipa-connect-account-create-request)
+ [Step 2: Accepting an account connection request](#ipa-connect-account-create-accept)
+ [Step 3: Review an approved connection](#ipa-connect-account-create-review)
+ [Step 4: Add IAM roles to your connection](#ipa-connect-account-linkedroles)
+ [Next steps: Create additional IAM roles for your account connection](#ipa-connect-account-next)

## Step 1: Creating a connection request
<a name="ipa-connect-account-create-request"></a>

Creating a connection request in the CodeCatalyst console generates a connection token that you can use to complete authorization.

You must have the **Space administrator** or **Power user** role in the CodeCatalyst space where you want to create the connection. You must also have administrative permissions for the AWS account you want to add.

**To create a connection**

1. In the AWS Management Console, make sure you are logged in with the same account that you want to create a connection with.

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. Choose **Add an AWS account**.

1. On the **Associate AWS account with Amazon CodeCatalyst** page, in **AWS account ID**, enter the twelve-digit ID for the account you want to connect to your space. For information about finding your AWS account ID, see [Your AWS account ID and its alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html).

1. In **Amazon CodeCatalyst display name**, enter a reference name for the account.

1. (Optional) In **Connection description**, enter a description for the account that will help you choose the projects where the account and role or roles will apply.

1. Choose **Associate AWS account**.

1. The page returns to the **AWS account details** page where a success banner displays.

## Step 2: Accepting an account connection request
<a name="ipa-connect-account-create-accept"></a>

After you submit a request in the CodeCatalyst console to connect to your AWS account, you work with your AWS administrator to accept the connection request by submitting it with the provided connection token.

Make sure you have administrator permissions for your account, and you're signed in to the AWS Management Console with the same AWS account for which you're creating the connection.

**To approve a connection request (console)**

1. In the AWS Management Console, make sure you are logged in with the same account that you want to create a connection with.

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. On the **AWS account details** page, choose **Complete setup in the AWS Management Console**.

1. The **Verify Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to log in to access the page.

   To directly access the page, sign in to the Amazon CodeCatalyst Spaces in the AWS Management Console at https://console.aws.amazon.com/codecatalyst/home/.

   The verification token is automatically entered in **Verification token**. A success message shows a message that the token is a valid token.

1. (Optional) Under **Authorized paid tiers**, choose **Authorize paid tiers (Standard, Enterprise)** to turn on the paid tiers for your billing account.
**Note**  
This does not upgrade the billing tier to a paid tier. However, this configures the AWS account so that you can change the billing tier for your space at any time in CodeCatalyst. You can turn on the paid tiers at any time. Without making this change, the space is only able to use the Free tier.

1. Choose **Verify space**.

   An **Account verified** success message displays to show that the account has been added to the space.

## Step 3: Review an approved connection
<a name="ipa-connect-account-create-review"></a>

After getting a connection approved, you can view the connection in the console, along with the IAM roles you added to it. 

**To review an approved connection**

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. The account connection is listed with the date it was created.

1. Choose the account display name. The **AWS account details** page displays.

## Step 4: Add IAM roles to your connection
<a name="ipa-connect-account-linkedroles"></a>

If you're using an IAM role configured for a CodeCatalyst deploy action, add the role to your deployment environment. For more information, see [Adding IAM roles to account connections](ipa-connect-account-addroles.md). 

## Next steps: Create additional IAM roles for your account connection
<a name="ipa-connect-account-next"></a>

After you create a connection, you can create additional IAM roles to add to it. The IAM roles that you add are dependent on your workflows. For example, a CodeCatalyst build action requires the CodeCatalyst build role. .

To connect your account, you will need the Amazon Resource Name (ARN) for the roles you created. Copy the ARN for your role or roles as detailed here. For more information about working with ARNs for IAM roles, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).

To access your IAM role ARN

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Roles**.

1. In the search box, enter the name of the role you want to add.

1. Choose the role from the list.

   The role's **Summary** page appears.

1. At the top, copy the **Role ARN** value.

# Adding IAM roles to account connections
<a name="ipa-connect-account-addroles"></a>

Part of creating your account connection includes adding the IAM role or roles you want to use with projects in your CodeCatalyst space.

**Note**  
To use IAM roles with an account connection, make sure that the trust policy is updated to use the CodeCatalyst service principal.

**Add IAM roles to an account connection (console)**

1. In the AWS Management Console, make sure you are logged in with the same account that you want to manage.

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. Choose the **Amazon CodeCatalyst display name** of your account connection, and then choose **Manage roles from AWS Management Console**.

   The **Add IAM role to Amazon CodeCatalyst space** page displays.

1. Do one of the following:
   + To create a service role that contains the permissions policy and trust policy for the developer role, choose **Create CodeCatalyst development administrator role in IAM**. The role will have a name `CodeCatalystWorkflowDevelopmentRole-spaceName` with a unique identifier appended. For more information about the role and role policy, see [Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role](ipa-iam-roles.md#ipa-iam-roles-service-role).

     Choose **Create development role**.
   + To add a role that you have already created in IAM, choose **Add an existing IAM role**. In **Select existing IAM role**, choose the role from the drop-down list.

     Choose **Add role**.

   The page opens in the AWS Management Console. You might need to log in to access the page.

1. In the **Amazon CodeCatalyst spaces** page navigation pane, choose **Spaces**. 

   To directly access the page, sign in to the Amazon CodeCatalyst Spaces in the AWS Management Console at https://console.aws.amazon.com/codecatalyst/home/.

1. Choose the account added for your CodeCatalyst space. The connection page is shown.

1. On the connection page, under **IAM roles available to CodeCatalyst**, view the list of IAM roles added to your account. Choose **Associate IAM role to CodeCatalyst**.

1. On the **Associate an IAM role** pop-up, in **Role ARN**, enter the Amazon Resource Name (ARN) of the IAM role you want to associate with your CodeCatalyst space.

   Under **Purpose**, choose a role purpose that describes how you want to use the role in your account connection. Specify `RUNNER` for roles that you use to run actions in workflows. Specify `SERVICE` for roles that you use to access another service.

   You can specify more than one purpose. 
**Note**  
Choosing a purpose for the role ARN is required.

1. Choose **Associate an IAM role**. Repeat these steps for additional IAM roles.

# Adding the account connection and IAM roles to your deploy environment
<a name="ipa-connect-account-addroles-env"></a>

To access AWS resources, such as Amazon ECS or AWS Lambda resources for deployments, CodeCatalyst build and deploy actions require IAM roles with permissions to access those resources. With the **Space administrator** or **Power user** role, you can connect your CodeCatalyst account to the AWS account where your resources are created. You then add the IAM role to your account connection. For deploy actions, you must then add the IAM role to a CodeCatalyst environment.

You must add the IAM roles that you want to use with deployment environments in your projects. Adding the roles to the account connection does not add the roles and the connection to the project deploy environments. To add your account connection and IAM roles to your deploy environment, make sure that the account connection and roles are created as detailed in [Step 4: Add IAM roles to your connection](ipa-connect-account-create.md#ipa-connect-account-linkedroles). 

Then, use the **Environments** page in the CodeCatalyst console to add your account connection and IAM role to a deploy environment in a project.

**Note**  
You only add an IAM role to an environment if the IAM role is used for a CodeCatalyst action that requires an IAM role. All workflow actions that require IAM roles, including build actions, must use a CodeCatalyst environment.

To add your account connection and IAM roles to your deploy environment

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to the project with the deployment environment where you want to add the account connection and IAM roles.

1. Expand **CI/CD**, and then choose **Environments**.

1. Choose your environment, and then the additional tabs display.

1. Choose the **AWS account connections** tab. Under **Connection name**, the accounts that have been added to the environment, if any, are listed.

1. Choose **Associate AWS account**. The **Associate AWS account with <environment\$1name>** page displays.

1. Under **Connection**, choose the name of the account connection with the IAM roles that you want to add. Choose **Associate**.

# Viewing account connections
<a name="ipa-connect-account-list"></a>

You can view a list of your connections and view details about each connection.

You must have the **Space administrator** or **Power user** role to manage connections for your space.

**To view all connections for a CodeCatalyst space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to the space with the account connection that you want to view.

1. Choose the **AWS accounts** tab.

1. Under **AWS accounts**, view the list of account connections for the space, including the account ID and status for each connection.

**To view account connection details**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. In **Amazon CodeCatalyst display name**, choose the connection name. On the **Details** page, view the list of IAM roles associated with the connection along with other details.

# Deleting account connections (in CodeCatalyst)
<a name="ipa-connect-account-delete"></a>

You can delete an account connection that you no longer need. For this procedure, you will use CodeCatalyst to delete an account connection that you have previously added to your space. This deletes the account connection from your space, provided that the account is not the billing account for the space.

**Important**  
After an account connection is deleted, you cannot reconnect it. You must create a new account connection and then associate IAM roles and environments, or set up billing, as needed.

A billing account must be designated for your CodeCatalyst space, even if usage for the space will not exceed the Free tier. Before you can remove a space for an account that is a designated billing account, you will need to add another account for your space. See [Managing billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the Amazon CodeCatalyst Administrator Guide.

**Important**  
While you can use these steps to remove an account, this is not recommended. The account might also be set up to support workflows in CodeCatalyst.

To manage account connections for your space, you must have the **Space administrator** or **Power user** role.

An account that has been removed can be added again later, but you must create a new connection between the account and the space. You will need to re-associate any IAM roles to the added account.

**To delete an account connection**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. Under **Amazon CodeCatalyst display name**, choose the selector next to the account connection that you want to remove.

1. Choose **Remove AWS account**. Confirm the deletion by entering the name in the field, and then choose **Remove**.

   A success banner displays, and the account connection is removed from the list of connections.

# Configuring a billing account for a space
<a name="connect-account-billing-ref"></a>

A billing account must be designated for your CodeCatalyst space, even if usage for the space will not exceed the Free tier.

To configure a billing account, see [Billing](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-billing.html) in the *CodeCatalyst Administrator Guide*. The AWS account that is specified as the billing account for your CodeCatalyst space has different quotas from other account connections for a space. For more information, see [Quotas for CodeCatalyst](quotas.md).



To remove an account that is a designated billing account for your CodeCatalyst space, make sure to first specify a new billing account.

# Configuring IAM roles for connected accounts
<a name="spaces-manage-roles"></a>

You create roles in AWS Identity and Access Management (IAM) for the account that you want to add to CodeCatalyst. If you are adding a billing account, you do not need to create roles.

In your AWS account, you must have permissions to create roles for the AWS account you want to add to your space. For more information about IAM roles and policies, including IAM references and example policies, see [Identity and Access Management and Amazon CodeCatalyst](security-iam.md). For more information about the trust policy and service principals used in CodeCatalyst, see [Understanding the CodeCatalyst trust model](trust-model.md).

In CodeCatalyst, you must be signed in with the Space administrator role to complete the steps to add accounts (and the roles, if applicable) to your space.

You can add roles to your account connections by using one of the following methods. 
+ To create a service role that contains the permissions policy and trust policy for the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role, see [**CodeCatalystWorkflowDevelopmentRole-*spaceName*** role](#spaces-manage-roles-createrole).
+ For an example of creating a role and adding a policy to create a project from a blueprint, see [Creating an IAM role and using the CodeCatalyst trust policy](#ipa-connect-account-createrole).
+ For a list of sample role policies to use when creating your IAM roles, see [Grant access to project AWS resources with IAM roles](ipa-iam-roles.md).
+ For detailed steps to create roles for workflow actions, see the workflow tutorial for that action as follows:
  + [Tutorial: Upload artifacts to Amazon S3](build-deploy.md)
  + [Tutorial: Deploy a serverless application](deploy-tut-lambda.md)
  + [Tutorial: Deploy an application to Amazon ECS](deploy-tut-ecs.md)
  + [Tutorial: Lint code using a GitHub Action](integrations-github-action-tutorial.md)

**Topics**
+ [**CodeCatalystWorkflowDevelopmentRole-*spaceName*** role](#spaces-manage-roles-createrole)
+ [**AWSRoleForCodeCatalystSupport** role](#w2aac25c29c18c17)
+ [Creating an IAM role and using the CodeCatalyst trust policy](#ipa-connect-account-createrole)

## **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role
<a name="spaces-manage-roles-createrole"></a>

You create the developer role as a 1-click role in IAM. You must have the **Space administrator** or **Power user** role in the space where you want to add the account. You must also have administrative permissions for the AWS account you want to add.

Before you start the procedure below, you must log in to the AWS Management Console with the same account that you want to add to your CodeCatalyst space. Otherwise, the console will return an unknown account error.

**To create and add the CodeCatalyst **CodeCatalystWorkflowDevelopmentRole-*spaceName*****

1. Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. Choose the link for the AWS account where you want to create the role. The **AWS account details** page displays.

1. Choose **Manage roles from AWS Management Console**. 

   The **Add IAM role to Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst spaces** page. You might need to log in to access the page.

1. Choose **Create CodeCatalyst development administrator role in IAM**. This option creates a service role that contains the permissions policy and trust policy for the development role. The role will have a name `CodeCatalystWorkflowDevelopmentRole-spaceName`. For more information about the role and role policy, see [Understanding the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** service role](ipa-iam-roles.md#ipa-iam-roles-service-role).
**Note**  
This role is only recommended for use with developer accounts and uses the `AdministratorAccess` AWS managed policy, giving it full access to create new policies and resources in this AWS account.

1. Choose **Create development role**.

1. On the connections page, under **IAM roles available to CodeCatalyst**, view the `CodeCatalystWorkflowDevelopmentRole-spaceName` role in the list of IAM roles added to your account.

1. To return to your space, choose **Go to Amazon CodeCatalyst**.

## **AWSRoleForCodeCatalystSupport** role
<a name="w2aac25c29c18c17"></a>

You create the support role as a 1-click role in IAM. You must have the **Space administrator** or **Power user** role in the space where you want to add the account. You must also have administrative permissions for the AWS account you want to add.

Before you start the procedure below, you must log in to the AWS Management Console with the same account that you want to add to your CodeCatalyst space. Otherwise, the console will return an unknown account error.

**To create and add the CodeCatalyst **AWSRoleForCodeCatalystSupport****

1. Before you start in the CodeCatalyst console, open the AWS Management Console, and then make sure you are logged in with the same AWS account for your space.

1. Navigate to your CodeCatalyst space. Choose **Settings**, and then choose **AWS accounts**.

1. Choose the link for the AWS account where you want to create the role. The **AWS account details** page displays.

1. Choose **Manage roles from AWS Management Console**. 

   The **Add IAM role to Amazon CodeCatalyst space** page opens in the AWS Management Console. This is the **Amazon CodeCatalyst Spaces** page. You might need to sign in to access the page.

1. Under **CodeCatalyst space details**, choose **Add CodeCatalyst Support role**. This option creates a service role that contains the permissions policy and trust policy for the preview development role. The role will have a name **AWSRoleForCodeCatalystSupport** with a unique identifier appended. For more information about the role and role policy, see [Understanding the **AWSRoleForCodeCatalystSupport** service role](ipa-iam-roles.md#ipa-iam-roles-support-role).

1. On the **Add role for CodeCatalyst Support** page, leave the default selected, and then choose **Create role**.

1. Under **IAM roles available to CodeCatalyst**, view the `CodeCatalystWorkflowDevelopmentRole-spaceName` role in the list of IAM roles added to your account.

1. To return to your space, choose **Go to Amazon CodeCatalyst**.

## Creating an IAM role and using the CodeCatalyst trust policy
<a name="ipa-connect-account-createrole"></a>

IAM roles to be used in CodeCatalyst with AWS account connections must be configured to use the trust policy provided here. Use these steps to create an IAM role and attach a policy that allows you to create projects from blueprints in CodeCatalyst.

As an alternative, you can create a service role that contains the permissions policy and trust policy for the `CodeCatalystWorkflowDevelopmentRole-spaceName` role. For more information, see [Adding IAM roles to account connections](ipa-connect-account-addroles.md).

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Roles**, and then choose **Create role**.

1. Choose **Custom trust policy**.

1. Under the **Custom trust policy** form, paste the following trust policy.

   ```
   "Version": "2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
                "Principal": { 
                   "Service": [ 
                       "codecatalyst-runner.amazonaws.com",
                       "codecatalyst.amazonaws.com" 
                   ] 
               }, 
               "Action": "sts:AssumeRole",
               "Condition": {
                   "ArnLike": {
                       "aws:SourceArn": "arn:aws:codecatalyst:::space/spaceId/project/*"
                   }
               }
           }
       ]
   ```

1. Choose **Next**.

1. Under **Add permissions**, search for and select a custom policy that you have already created in IAM.

1. Choose **Next**.

1. For **Role name**, enter a name for the role, for example: `codecatalyst-project-role`

1. Choose **Create role**.

1. Copy the role Amazon Resource Name (ARN). You'll need to provide this information when adding the role to your account connection or environment.

# Granting users space permissions
<a name="spaces-members"></a>

You can manage members for a space by viewing, adding, removing, or changing roles for users who join the space.

The information in this guide is provided for inviting and managing users in spaces in CodeCatalyst that support AWS Builder ID users. To learn more about the steps to set up and administer a space that supports identity federation, see [Setup and administration for CodeCatalyst spaces](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/what-is.html) in the *Amazon CodeCatalyst Administrator Guide*.

# Viewing members in a space
<a name="spaces-members-view"></a>

You can view the users in your space, including information about their display names, aliases, and the role they have for the space. There are three roles for members in a space:
+ **Space administrator** – This role has all permissions in CodeCatalyst, including creating projects. Only assign this role to users who need to administer every aspect of a space, such as accessing all projects in the space.

  You cannot change this role later without removing the user first. For more information, see [Space administrator role](ipa-role-types.md#ipa-role-space-admin).
+ **Power user** – This role is the second-most powerful role in Amazon CodeCatalyst spaces, but it has no access to projects in a space. It is designed for users who need to be able to create projects in a space and help manage the users and resources for the space. For more information, see [Power user role](ipa-role-types.md#ipa-role-power-user).
+ **Limited access** – This role is assigned by default for users who join the space by accepting invitations to projects in the space. Project members are assigned a role in a project. For information about managing project members, see [Granting users project permissions](projects-members.md).

The **Space administrators** table shows users with the **Space administrator** role. These users are not shown in the **Space members ** because they are automatically (implicitly) assigned to all projects in the space and do not have a role in a project.

The **Space members** table shows all members in the space that have a role in a project while not having the **Space administrator** role.

Users are shown based on whether the user has the **Space administrator** role in CodeCatalyst as follows:
+ A user with the **Space administrator** role who later accepts a project invitation and role will not show in the **Space members** table under spaces or on the **Project members** table under projects. They will continue to be shown in the **Space administrators** table in both places. In each project, all users with the **Space administrator** role are shown in the project **Space administrators** table for that project.
+ A user who accepts a project invitation to join with a project role is added to the space with the **Limited access** role. If the user's role later changes to the **Space administrator** role, but will also move from the **Space members ** table to the **Space administrators** table. Under the project, the user will move from the **Project members ** table to the **Space administrators** table.

**To view users and roles in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Members**.

   Users who are members of the space are shown in the **Space members** table.
**Tip**  
If you have the **Space administrator** role, you can view which projects you have been directly invited to. Navigate to **Project settings** for the project, and then choose **My projects**.

   In the **Status** column, the following are valid values:
   + **Invited** – CodeCatalyst sent the invitation but the user has not yet accepted or declined.
   + **Member** – The user accepted the invitation.

# Inviting a user directly to a space
<a name="spaces-members-add-admin"></a>

You can invite users directly to your CodeCatalyst space. This is useful when you want to invite that user to help you manage the space by assigning them the **Space administrator** or **Power user** role. Assigning one of those roles to other users can help you distribute the responsibilities of managing the space across more people without having to invite these users to any projects.

**Note**  
You must have the **Space administrator** or **Power user** role to invite members.

The **Space administrators** table shows users with the **Space administrator** role. These users are not shown in the **Space members** table because they are automatically (implicitly) assigned to all projects in the space and do not have a role in a project.

Members who accept a project invitation are added to the space by default. The **Project members** table shows all members in the space that have a role in a project.

For more information about how to accept an invitation and sign in for the first time, see [Set up and sign in to CodeCatalystSet up and sign in to CodeCatalyst](setting-up-topnode.md).

**To invite a user to your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.

1. Choose **Settings**, and then choose **Members**.

1. Choose **Invite**.

1. Enter the email of the person you would like to invite to join your space. In **Role**, choose the role you want to assign that user in the space.

1. Choose **Invite**

# Canceling an invitation for a space
<a name="spaces-members-cancel-invite"></a>

If you want to cancel an invitation to join a space that you sent recently, and it has not yet been accepted, you can cancel it. 

To manage space invitations, you must have the **Space administrator** or **Power user** role.

**To cancel a space member invitation**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Members**.

1. Verify that the member has a status of **Invited**.
**Note**  
You can only cancel an invitation that has not yet been accepted.

1. Choose the option next to the row with the invited member, and then choose **Cancel invitation**.

1. A confirmation window displays. Choose **Cancel invitation** to confirm.

# Changing the role for a space member
<a name="spaces-members-rolechange"></a>

You can change the assigned role for a member of your space. You must have the **Space administrator** role to change the role of a user in the space.

The **Space administrators** table shows users with the **Space administrator** role. These users are not shown in the **Space members** table because they are automatically (implicitly) assigned to all projects in the space.

**To change the role for a user in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Members**.

1. In the **Space members** table, choose the user whose role you want to change. Choose **Change role**.

# Removing a space member
<a name="spaces-members-remove-member"></a>

You can remove a member of your space when they do not need to access any of the space resources. You must have the **Space administrator** role to remove a member from a space. 

The **Space administrators** table shows users with the **Space administrator** role. These users are not shown in the **Space members** table because they are automatically (implicitly) assigned to all projects in the space and do not have a role in a project. You can only directly remove a member of your space in this table.

**To remove a user from the **Project members** table**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Members**.

1. Choose the user in the **Project members** table. Choose **Remove**.
**Note**  
Removing a member from the space will remove the user from all projects in the space, along with permissions associated with the resources in those projects.

# Removing or changing the role for a user with the **Space administrator** role
<a name="spaces-members-remove"></a>

You can remove or change the role for a user with the **Space administrator** role for your space. 

You must have the **Space administrator** role to remove a user with the **Space administrator** role from a space. Changing the role for a user with the **Space administrator** role essentially removes the user from the **Space administrators** table. If that user does not have a project role in any projects in the space, removing the **Space administrator** role from the user will remove the user from the space.

**Note**  
As a user with the **Space administrator** role, you cannot remove yourself. Contact another user with the **Space administrator** role.

**To remove a user with the **Space administrator** role from the **Space members** table**
**Note**  
For a user who has not been added explicitly to a project, they do not have any project roles (**Project administrator** or **Contributor**). If the **Space administrator** role is the user's only role, then the user is removed from the space entirely.

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to the space where you want to remove or change the role for a user with the **Space administrator** role.

1. Choose **Settings**, and then choose **Members**.

1. View the invitation status for the list of members, and make sure that the list contains no unauthorized pending invites to the space (a status of **Invited**).
**Important**  
Before removing a user with the **Space administrator** role, you must verify that no pending invites have been initiated.

1. Choose the **Members** tab. In the **Space administrators** table, choose the user, and then choose **Remove**.

   On the **Remove member** dialog box, do one of the following.
   + Choose the option to remove only the user's **Space administrator** role. Choose **Remove**.
**Important**  
If the user does not have any other role assigned, then changing the role from **Space administrator** removes the user from the space.
   + Choose the option to remove a user with the **Space administrator** role from the space and all its projects. Choose **Remove**.

1. Refresh the **Members** tab. The user is automatically added to the list of project members in any project where the user had membership through project roles. If the **Space administrator** role was the user's only role, then the user is removed from the space entirely.

# Allowing space access using teams
<a name="managing-teams"></a>

After you create a space, you can add teams. Teams allow you to group users so that they can share permissions and manage projects, issue tracking, roles, and resources in CodeCatalyst.

You must have the **Space administrator** role to manage teams.

Teams are also managed at the project/space level in CodeCatalyst. To learn more about teams in spaces/projects, see [Allowing space access using teams](#managing-teams). 

**Topics**
+ [Creating a team](managing-teams-create.md)
+ [Viewing a team](managing-teams-view.md)
+ [Granting space roles for a team](managing-teams-space-roles.md)
+ [Granting project roles for a team at the space level](managing-teams-project-roles.md)
+ [Adding a user to a team directly](managing-teams-add-users.md)
+ [Removing a user from a team directly](managing-teams-remove-users.md)
+ [Adding an SSO group to a team](managing-teams-add-sso.md)
+ [Deleting a team](managing-teams-delete.md)

# Creating a team
<a name="managing-teams-create"></a>

A team can have role permissions, such as **Power user**, in a space. A team can also have project permissions, such as **Project administrator**, in a project. Teams can be associated with many projects with different roles for each project. You can manage teams where the team members are either individual users for an AWS Builder ID space or SSO groups for a space that supports identity federation.

On the members page for space and project users, users can have multiple roles. Users with multiple roles will show an indicator when they have multiple roles, and they will be displayed with the role with the most permissions first.

**Note**  
If your space supports identity federation, you must already have your SSO users or your SSO groups set up in IAM Identity Center.

How you manage team members depends on how you will add and remove users. There are two options for managing team members: 
+ **Adding users directly **— You add or remove users individually. For example, you add users to a team by choosing either AWS Builder ID users or SSO users that are already set up in IAM Identity Center. When you choose to manage team members by adding AWS Builder ID users or SSO users directly, the option to use **SSO groups** will no longer be available.
+ **Use SSO groups** — You manage team members through SSO groups already set up in IAM Identity Center. When you choose to manage team members by using **SSO groups**, the option to add users directly will no longer be available.

You must have the **Space administrator** role to manage teams.

**To create a team**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. Choose **Create team**.

1. In **Team name**, enter a descriptive name for your team.
**Note**  
The team name must be unique in your space.

   (Optional) In **Team description**, enter a description for your team.

1. Under **Space role**, choose a role from the list of space roles available in CodeCatalyst that you want to assign to the team. The role will be inherited by all members of the team.
   + **Space administrator** - For details, see [Space administrator role](ipa-role-types.md#ipa-role-space-admin).
   + **Limited access** - For details, see [Limited access role](ipa-role-types.md#ipa-role-limited-access).
   + **Power user** - For details, see [Power user role](ipa-role-types.md#ipa-role-power-user).

1. In **Team membership**, choose one of the following to choose the method for adding members to the team.
   + Choose **Add members directly** to manage users individually. This includes adding AWS Builder ID users for a space or adding SSO users for a space that supports identity federation.
   + Choose **Use SSO Groups** to choose SSO groups that you have already set up in IAM Identity Center.

     In **SSO Groups **, choose the box next to the groups that you want to add. You can add up to five SSO groups.
**Note**  
You cannot change this later. When you choose to manage team members by adding AWS Builder ID users or SSO users directly, the option to use **SSO groups** will no longer be available. When you choose to manage team members by using **SSO groups**, the option to add users directly will no longer be available.

1. Choose **Create**.
**Note**  
When you choose to use SSO groups, note that the users in the SSO group are not pulled upon creation of the team. The users will need to have signed in to CodeCatalyst before they are visible in the list.

# Viewing a team
<a name="managing-teams-view"></a>

In CodeCatalyst, you can view the projects and roles for your team. On the members page, you can view project roles and a list of users. For SSO group type teams, you will also be able to see a list of SSO groups associated with the team.

**To view a team**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. In **Space role**, view the role assigned to the team for this space.

1. On the **Project roles** tab, view the project and project role assigned to the team for each CodeCatalyst project in the space where the team has been added as a member (for an AWS Builder ID space only).

1. On the **Members** tab, view the list of members assigned to the team. 

1. On the **SSO Groups** tab, view the list of SSO groups assigned to the team (for a space that supports identity federation only).

# Granting space roles for a team
<a name="managing-teams-space-roles"></a>

Teams are a way to group users so that you can grant and manage team access to projects in CodeCatalyst. As an example, you can use teams to quickly manage roles and permissions for users by giving a team the ability to manage a space for users.

A team can have role permissions, such as **Power user**, in a space. You can change the space role for a team, but note that all members of the team will inherit those permissions.

You must have the **Space administrator** role to manage teams.

**Changing the space role for a team**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. In **Actions**, choose **Change space role**. You can change the space role to one of the following. This changes the role for all members of the team.
   + **Space administrator** - For details, see [Space administrator role](ipa-role-types.md#ipa-role-space-admin).
   + **Limited access** - For details, see [Limited access role](ipa-role-types.md#ipa-role-limited-access).
   + **Power user** - For details, see [Power user role](ipa-role-types.md#ipa-role-power-user).

1. Choose **Save**.

# Granting project roles for a team at the space level
<a name="managing-teams-project-roles"></a>

A team in CodeCatalyst is similar to a user in that the team members can have role permissions, such as **Project administrator**, in a project. A role change will be applied to the team, and all members of the team will inherit those permissions. You can choose one role for each project that will be automatically granted to the team.

You must have the **Space administrator** role to manage teams.

**To add or change a project role**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. Choose the **Project roles** tab.

1. To change a role, choose the selector next to the project in this list, and then choose **Change role**. To add a role, choose **Add project role**. In **Project**, choose the project you want to add and in **Role**, choose the role. Choose one of the available project roles:
   + **Project administrator** - For details, see [Project administrator role](ipa-role-types.md#ipa-role-project-admin).
   + **Contributor** - For details, see [Contributor role](ipa-role-types.md#ipa-role-contributor).
   + **Reviewer** - For details, see [Reviewer role](ipa-role-types.md#ipa-role-reviewer).
   + **Read only** - For details, see [Read only role](ipa-role-types.md#ipa-role-read-only).

1. Choose **Save**.

**To remove a project role**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. Choose the **Project roles** tab.

1. Choose the role you want to remove.
**Important**  
Removing a role from a team removes the associated permissions for all users in the team.

1. Choose **Save**.

# Adding a user to a team directly
<a name="managing-teams-add-users"></a>

You can add team members to your team. When you add a user, the new user will inherit permissions from all existing roles on the team.

Whether your space is set up for AWS Builder ID user support or identity federation, you can set up your space to add users directly.

**Note**  
When your space is set up to manage team members by using SSO groups, the option to use **Add users directly** is not available. To use SSO groups, see [Adding an SSO group to a team](managing-teams-add-sso.md).

You must have the **Space administrator** role to manage teams.

**To add a user directly**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. Choose the **Members** tab.

1. Choose **Add member**.
**Note**  
Users being added to a team must already be members of a space. You cannot add or invite a team member who is not a member of the space.

1. Choose a user in the drop-down field, and then choose **Save**. Choose either AWS Builder ID users or SSO users that are already set up in IAM Identity Center. 

# Removing a user from a team directly
<a name="managing-teams-remove-users"></a>

You can remove team members from your team. All permissions will no longer be inherited by the user. You can add the user back to the team later.

**Note**  
When you remove a team member, the associated permissions will be removed for the user from all projects and resources in the space.

You must have the **Space administrator** role to manage teams.

**To remove a team member**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. Choose the **Members** tab.

1. Choose the selector next to the user you want to remove, and then choose **Remove**.

1. Enter *remove* in the input field, and then choose **Remove**.

# Adding an SSO group to a team
<a name="managing-teams-add-sso"></a>

If your space is configured as a space with SSO users and groups managed in IAM Identity Center, you can add an SSO group that will join the space as a separate team. 

**Note**  
When you choose to manage team members by adding AWS Builder ID users or SSO users directly, the option to use **SSO groups** is not available. To add users directly, see [Adding a user to a team directly](managing-teams-add-users.md).

You must have the **Space administrator** role to manage teams.

**To add an SSO group as a team**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. On the page for your space, choose **Teams**. Choose the **SSO groups** tab.

1. Choose the SSO groups you want to add. You can add up to five SSO groups.

# Deleting a team
<a name="managing-teams-delete"></a>

You can delete a team that you no longer need.

**Note**  
When you delete a team, the associated permissions will be removed for all team members from all projects and resources in the space.

You must have the **Space administrator** role to manage teams.

**Delete a team**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space. Choose **Settings**, and then choose **Teams**.

1. In **Actions**, choose **Delete team**. This changes the role for the entire team.

1. Choose **Delete**.

# Allowing space access for machine resources
<a name="managing-machine-resources"></a>

Machine resources are specific resources in CodeCatalyst that are granted permissions for projects or spaces in CodeCatalyst. 

**Note**  
The term machine resource does not refer to cloud infrastructure such as an Amazon EC2 instance, but it is instead meant to refer to a blueprint or workflow resource with permissions for a space or project.

A machine resource represents your identity from your authorized resource when accessing CodeCatalyst through SSO. Machine resources are used to grant permissions to resources in the space, such as **blueprints** and **workflows**. You can view the machine resources in your space, and you can choose to enable or disable machine resources for your space. For example, you might want to disable a machine resource to manage access and then re-enable it later.

These operations are available for machine resources in cases where a machine resource needs to be revoked or disabled. For example, if you suspect credentials might have been compromised, you can disable the machine resource. Generally, these operations will not need to be used.

You must have the **Space administrator** role to view this page and to manage machine resources at the space level.

Machine resources are also managed at the project level in CodeCatalyst. To learn more about teams in projects, see [Allowing space access for machine resources](#managing-machine-resources).

**Topics**
+ [Viewing space access for machine resources](managing-machine-resources-view.md)
+ [Disabling space access for machine resources](managing-machine-resources-disable.md)
+ [Enabling space access for machine resources](managing-machine-resources-enable.md)

# Viewing space access for machine resources
<a name="managing-machine-resources-view"></a>

You can view a listing of the machine resources that are in use in your space. 

You must have the **Space administrator** role to manage machine resources.

**To view machine resources**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space, and then choose **Settings**. Choose **Machine resources**.

1. In the drop-down, choose **Workflow action** to view only the machine resources for workflows. Choose **Blueprint** to view only the machine resources for blueprints.

   You can also filter on a name using the **Filter** field.

# Disabling space access for machine resources
<a name="managing-machine-resources-disable"></a>

You can choose to disable machine resources that are in use in your space. 

**Important**  
Disabling machine resources will remove all permissions to all associated blueprints or workflows in the space.

You must have the **Space administrator** role to manage machine resources.

**To disable machine resources**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space, and then choose **Settings**. Choose **Machine resources**.

1. Choose one of the following.
**Important**  
Disabling machine resources will remove all permissions to all associated blueprints or workflows in the space.
   + To disable individually, choose the selector next to one or more machine resources you want to disable. Choose **Disable**, and then choose **This resource**. 
   + To disable all resources, choose **Disable**, and then choose **All resources**. 
   + To disable all workflow actions, choose **Disable**, and then choose **All workflow actions**. 
   + To disable all blueprints, choose **Disable**, and then choose **All blueprints**. 

# Enabling space access for machine resources
<a name="managing-machine-resources-enable"></a>

You can choose to enable machine resources that are in use in your space and that have been disabled. 

You must have the **Space administrator** role to manage machine resources.

**To enable machine resources**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your space, and then choose **Settings**. Choose **Machine resources**.

1. Choose one of the following.
   + To enable individually, choose the selector next to one or more machine resources you want to enable. Choose **Enable**, and then choose **This resource**. 
   + To enable all resources, choose **Enable**, and then choose **All resources**. 
   + To enable all workflow actions, choose **Enable**, and then choose **All workflow actions**. 
   + To enable all blueprints, choose **Enable**, and then choose **All blueprints**. 

# Administering Dev Environments for a space
<a name="spaces-devenv"></a>

All Dev Environments are created as part of a project within a space. Space members can create their own Dev Environments within a project at the source repository level. Space administrators can then use the Amazon CodeCatalyst console to view, edit, delete, and stop Dev Environments on behalf of space members. In short, space administrators maintain Dev Environments at the space level.

**Considerations for administering Dev Environments**
+ You must have the **Space administrator** role to view the **Dev Environments** page under **Settings** and to manage Dev Environments at the space level.
+ Space members manage the Dev Environments that they create in projects through their CodeCatalyst accounts. When administering Dev Environments as a space administrator, you are maintaining these resources on behalf of space members.
+ Dev Environments default to a specific compute and storage configuration. For information about billing and rates for upgrading your configuration, see the [Amazon CodeCatalyst pricing page](https://codecatalyst.aws/explore/pricing).

**Important**  
Dev Environments aren't available for users in spaces where Active Directory is used as the identity provider. For more information, see [I can't create a Dev Environment when I'm signed into CodeCatalyst using a single sign-on account](devenvironments-troubleshooting.md#troubleshoot-create-dev-env-idprovider).

For other considerations about Dev Environments, including stopping running instances, default compute configuration, upgrading your compute, incurring costs, and configuring timeouts, see [Write and modify code with Dev Environments in CodeCatalystWrite and modify code with Dev Environments](devenvironment.md).

**Topics**
+ [Viewing Dev Environments for your space](spaces-devenv-view.md)
+ [Editing a Dev Environment for your space](spaces-devenv-edit.md)
+ [Stopping a Dev Environment for your space](spaces-devenv-stop.md)
+ [Deleting a Dev Environment for your space](spaces-devenv-delete.md)

# Viewing Dev Environments for your space
<a name="spaces-devenv-view"></a>

You can view the type, status, and details for all Dev Environments in your space. For more information about creating and running Dev Environments, see [Creating a Dev Environment](devenvironment-create.md).

You must have the **Space administrator** role to view this page and to manage Dev Environments at the space level.

**To view Dev Environments in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Dev Environments**.

   The page lists all Dev Environments in your space. You can view the **Resource** name, the resource **alias** if applicable, the type of **IDE**, the default or configured **Compute** and **Storage**, and the configured **Timeout** for each Dev Environment.

# Editing a Dev Environment for your space
<a name="spaces-devenv-edit"></a>

You can edit the configuration for a Dev Environment, such as the configured length of timeout, if any, for an idle Dev Environment to stop running. For more information about editing a Dev Environment, see [Editing a Dev Environment](devenvironment-edit.md).

You must have the **Space administrator** role to view this page and to manage Dev Environments at the space level.

**To edit Dev Environments in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Dev Environments**.

1. Choose the selector next to the Dev Environment you want to manage. Choose **Edit**.

1. Make the changes you want to the compute or inactivity timeout for the Dev Environment.

1. Choose **Save**.

# Stopping a Dev Environment for your space
<a name="spaces-devenv-stop"></a>

You can stop a running Dev Environment before it becomes idle if the Dev Environment is configured to have a timeout. Otherwise, a Dev Environment with an elapsed timeout will already be stopped. For more information about stopping a Dev Environment, see [Stopping a Dev Environment](devenvironment-stop.md).

You must have the **Space administrator** role to view this page and to manage Dev Environments at the space level.

**To stop a Dev Environments in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Dev Environments**.

1. Choose the selector next to the Dev Environment you want to manage. Choose **Stop**.

# Deleting a Dev Environment for your space
<a name="spaces-devenv-delete"></a>

You can delete a Dev Environment that is no longer needed or that no longer has an owner. For more information about considerations for deleting a Dev Environment, see [Deleting a Dev Environment](devenvironment-delete.md).

You must have the **Space administrator** role to view this page and to manage Dev Environments at the space level.

**To delete Dev Environments in your space**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **Dev Environments**.

1. Choose the selector next to the Dev Environment you want to manage. Choose **Delete**. To confirm, type `delete`, and then choose **Delete**.

# Quotas for spaces
<a name="spaces-quotas-limits"></a>

The following table describes quotas and limits for spaces in Amazon CodeCatalyst. For more information about quotas in Amazon CodeCatalyst, see [Quotas for CodeCatalyst](quotas.md).


|  |  | 
| --- |--- |
| Maximum number of Slack channels for a space | 500 | 
| Maximum number of invitations for an email address | 25 | 
| Maximum number of invitations for a user | 500 | 
| Maximum number of active spaces per user per AWS Region | 5 | 
| Maximum number of space creations per Region per month per user | 5 | 
| Maximum number of SSO groups for a team | 5 | 
| Maximum number of teams for a spaces | 100 | 
| Maximum number of users for a team | 1000 | 
| Space descriptions |  Space descriptions are optional. If specified, they must be between 0 and 200 characters in length. They can contain any combination of letters, numbers, spaces, periods, underscores, commas, dashes, and the following special characters: `? & $ % + = / \ ; : \n \t \r`  | 
| Space names | Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.Space names must be between 3 and 63 characters in length. They must also begin with an alphanumeric character. Space names can contain any combination of letters, numbers, periods, underscores, and dashes. They cannot contain any of the following characters: `! ? @ # $ % ^ & * ( ) + = { } [ ] \| /\ > < ~ ` ' " ; : `  |