AWS CodeCommit is no longer available to new customers. Existing customers of
AWS CodeCommit can continue to use the service as normal.
Learn more"
CodeCommit permissions reference
The following tables list each CodeCommit API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The CodeCommit APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when setting up Access control and writing permissions policies that you can attach to an IAM identity (identity-based policies).
When you create a permissions policy, you specify the actions in the policy's
Action field. You specify the resource value in the policy's
Resource field as an ARN, with or without a wildcard character (*).
To express conditions in your CodeCommit policies, use AWS-wide condition keys. For a complete list of AWS-wide keys, see Available Keys in the IAM User Guide. For complete information about actions, resources, and condition keys for CodeCommit in IAM policies, see Actions, resources, and condition keys for AWS CodeCommit.
Note
To specify an action, use the codecommit: prefix followed by the API
operation name (for example, codecommit:GetRepository or
codecommit:CreateRepository.
Using Wildcards
To specify multiple actions or resources, use a wildcard character (*) in your ARN.
For example, codecommit:* specifies all CodeCommit actions and
codecommit:Get* specifies all CodeCommit actions that begin with the word
Get. The following example grants access to all repositories with names
that begin with MyDemo.
arn:aws:codecommit:us-west-2:111111111111:MyDemo*
You can use wildcards only with the repository-name
resources listed in the following table. You can't use wildcards with
region or account-id
resources. For more information about wildcards, see IAM Identifiers in
IAM User Guide.
Topics
- Required permissions for Git client commands
- Permissions for actions on branches
- Permissions for actions on merges
- Permissions for actions on pull requests
- Permissions for actions on approval rule templates
- Permissions for actions on individual files
- Permissions for actions on comments
- Permissions for actions on committed code
- Permissions for actions on repositories
- Permissions for actions on tags
- Permissions for actions on triggers
- Permissions for actions on CodePipeline integration
Required permissions for Git client commands
In CodeCommit, the GitPull IAM policy permissions apply to any Git
client command where data is retrieved from CodeCommit, including git
fetch, git clone, and so on. Similarly, the
GitPush IAM policy permissions apply to any Git client command
where data is sent to CodeCommit. For example, if the GitPush IAM policy
permission is set to Allow, a user can push the deletion of a branch
using the Git protocol. That push is unaffected by any permissions applied to the
DeleteBranch operation for that IAM user. The
DeleteBranch permission applies to actions performed with the
console, the AWS CLI, the SDKs, and the API, but not the Git protocol.
GitPull and GitPush are IAM policy permissions. They
are not API actions.
Use the scroll bars to see the rest of the table.
| CodeCommit Permissions for Git | Required Permissions | Resources |
|---|---|---|
|
GitPull |
Required to pull information from a CodeCommit repository to a local repo. This is an IAM policy permission only, not an API action. |
arn:aws:codecommit: |
|
GitPush |
Required to push information from a local repo to a CodeCommit repository. This is an IAM policy permission only, not an API action. NoteIf you create a policy that includes a context key and a
|
arn:aws:codecommit: |
Permissions for actions on branches
The following permissions allow or deny actions on branches in CodeCommit repositories.
These permissions pertain only to actions performed in the CodeCommit console and with
the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to
similar actions that can be performed using the Git protocol. For example, the
git show-branch -r command displays a list of
remote branches for a repository and its commits using the Git protocol. It's not
affected by any permissions for the CodeCommit ListBranches operation.
For more information about policies for branches, see Limit pushes and merges to branches in AWS CodeCommit and Customer managed policy examples.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations for Branches | Required Permissions (API Actions) | Resources |
|---|---|---|
|
Required to create a branch in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to delete a branch from a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to get details about a branch in a CodeCommit repository. |
arn:aws:codecommit: |
|
| ListBranches |
Required to get a list of branches in a CodeCommit repository. |
arn:aws:codecommit: |
| MergeBranchesByFastForward |
Required to merge two branches using the fast-forward merge strategy in a CodeCommit repository. |
arn:aws:codecommit:region:account-id:repository-name |
| MergeBranchesBySquash |
Required to merge two branches using the squash merge strategy in a CodeCommit repository. |
arn:aws:codecommit:region:account-id:repository-name |
| MergeBranchesByThreeWay |
Required to merge two branches using the three-way merge strategy in a CodeCommit repository. |
arn:aws:codecommit:region:account-id:repository-name |
| UpdateDefaultBranch | codecommit:UpdateDefaultBranchRequired to change the default branch in a CodeCommit repository. |
arn:aws:codecommit: |
Permissions for actions on merges
The following permissions allow or deny actions on merges in CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For related permissions on branches, see Permissions for actions on branches. For related permissions on pull requests, see Permissions for actions on pull requests.
Use the scroll bars to see the rest of the table.
| CodeCommit Permissions for Merges | Required Permissions | Resources |
|---|---|---|
|
Required to return information about conflicts in a merge between commits in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to create an unreferenced commit between two branches or commits in a CodeCommit repository for the purpose of comparing them and identifying any potential conflicts. |
arn:aws:codecommit: |
|
|
Required to return information about merge conflicts between the base, source, and destination versions of a file in a potential merge in an CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to return information about the merge between a source and destination commit in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to return information about the available merge options between two branches or commit specifiers in a CodeCommit repository. |
arn:aws:codecommit: |
Permissions for actions on pull requests
The following permissions allow or deny actions on pull requests in CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For related permissions on comments, see Permissions for actions on comments.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
BatchGetPullRequests |
Required to return information about one or more pull requests in a CodeCommit repository. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
|
Required to create a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
|
| CreatePullRequestApprovalRule |
Required to create an approval rule for a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| DeletePullRequestApprovalRule |
Required to delete an approval rule for a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| DescribePullRequestEvents | Required to return information about one or more pull request events in a CodeCommit repository. | arn:aws:codecommit:region:account-id:repository-name |
| EvaluatePullRequestApprovalRules |
Required to evaluate whether a pull request has met all the conditions specified in its associated approval rules in a CodeCommit repository. |
arn:aws:codecommit: |
|
Required to return comments made on a pull request. |
arn:aws:codecommit: |
|
| GetCommitsFromMergeBase |
Required to return information about the difference between commits in the context of a potential merge. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
| GetMergeConflicts |
Required to return information about merge conflicts between the source and destination branch in a pull request. |
arn:aws:codecommit:region:account-id:repository-name |
|
Required to return information about a pull request. |
arn:aws:codecommit: |
|
|
Required to return information about the approval states for a specified pull request. |
arn:aws:codecommit: |
|
|
Required to return information about whether approval rules have been set aside (overridden) for a pull request, and if so, the Amazon Resource Name (ARN) of the user or identity that overrode the rules and their requirements for the pull request. |
arn:aws:codecommit: |
|
| ListPullRequests |
Required to return information about the pull requests for a repository. |
arn:aws:codecommit: |
| MergePullRequestByFastForward | codecommit:MergePullRequestByFastForwardRequired to close a pull request and attempt to merge the source branch into the destination branch of a pull request using the fast-forward merge strategy. |
arn:aws:codecommit: |
| MergePullRequestBySquash | codecommit:MergePullRequestBySquashRequired to close a pull request and attempt to merge the source branch into the destination branch of a pull request using the squash merge strategy. |
arn:aws:codecommit: |
| MergePullRequestByThreeWay | codecommit:MergePullRequestByThreeWayRequired to close a pull request and attempt to merge the source branch into the destination branch of a pull request using the three-way merge strategy. |
arn:aws:codecommit: |
| OverridePullRequestApprovalRules | codecommit:OverridePullRequestApprovalRules
Required to set aside all approval rule requirements for a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| PostCommentForPullRequest | codecommit:PostCommentForPullRequest
Required to post a comment on a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| UpdatePullRequestApprovalRuleContent | codecommit:UpdatePullRequestApprovalRuleContent
Required to change the structure of an approval rule for a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| UpdatePullRequestApprovalState | codecommit:UpdatePullRequestApprovalState
Required to change the state of an approval on a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| UpdatePullRequestDescription | codecommit:UpdatePullRequestDescription
Required to change the description of a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| UpdatePullRequestStatus | codecommit:UpdatePullRequestStatus
Required to change the status of a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
| UpdatePullRequestTitle | codecommit:UpdatePullRequestTitle
Required to change the title of a pull request in a CodeCommit repository. |
arn:aws:codecommit: |
Permissions for actions on approval rule templates
The following permissions allow or deny actions on approval rule templates in CodeCommit repositories. These permissions pertain only to actions performed in the CodeCommit console, the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For related permissions on pull requests, see Permissions for actions on pull requests.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations for Approval Rule Templates | Required Permissions | Resources |
|---|---|---|
|
Required to associate a template with a specified repository in an Amazon Web Services account. Once associated, this automatically creates approval rules that match the template conditions on every pull request created in the specified repository. |
* |
|
|
Required to associate a template with one or more specified repositories in an Amazon Web Services account. |
* |
|
|
Required to disassociate a template from one or more specified repositories in an Amazon Web Services account. |
* |
|
|
Required to create a template for approval rules that can then be associated with one or more repositories in your AWS account. |
* |
|
|
Required to delete the specified template in an Amazon Web Services account. It does not remove approval rules on pull requests already created with the template. |
* |
|
|
Required to disassociate the specified template from a repository in an Amazon Web Services account. It does not remove approval rules on pull requests already created with the template. |
* |
|
|
Required to return information about an approval rule template in an Amazon Web Services account. |
* |
|
|
Required to list approval rule templates in an Amazon Web Services account. |
* |
|
|
Required to list all approval rule templates that are associated with a specified repository in an Amazon Web Services account. |
* |
|
|
Required to list all repositories that are associated with a specified approval rule template in an Amazon Web Services account. |
* |
|
|
Required to update the content of an approval rule template in an Amazon Web Services account. |
* |
|
|
Required to update the description of an approval rule template in an Amazon Web Services account. |
* |
|
|
Required to update the name of an approval rule template in an Amazon Web Services account. |
* |
Permissions for actions on individual files
The following permissions allow or deny actions on individual files in CodeCommit
repositories. These permissions pertain only to actions performed in the CodeCommit
console, the CodeCommit API, and to commands performed using the AWS CLI. They do not
pertain to similar actions that can be performed using the Git protocol. For
example, the git push command pushes new and changed files to a CodeCommit
repository by using the Git protocol. It's not affected by any permissions for the
CodeCommit PutFile operation.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations for Individual Files | Required Permissions | Resources |
|---|---|---|
|
Required to delete a specified file from a specified branch in a CodeCommit repository from the CodeCommit console. |
arn:aws:codecommit: |
|
|
Required to view the encoded content of an individual file in a CodeCommit repository from the CodeCommit console. |
arn:aws:codecommit: |
|
|
Required to view the encoded content of an individual file and its metadata a CodeCommit repository from the CodeCommit console. |
arn:aws:codecommit: |
|
|
Required to view the contents of a specified folder in a CodeCommit repository from the CodeCommit console. |
arn:aws:codecommit: |
|
|
Required to add a new or modified file to a CodeCommit repository from the CodeCommit console, CodeCommit API, or the AWS CLI. |
arn:aws:codecommit: |
Permissions for actions on comments
The following permissions allow or deny actions on comments in CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and to commands performed using the AWS CLI. For related permissions on comments in pull requests, see Permissions for actions on pull requests.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
Required to delete the content of a comment made on a change, file, or commit in a repository. Comments cannot be deleted, but the content of a comment can be removed if the user has this permission. |
arn:aws:codecommit: |
|
|
Required to return information about a comment made on a change, file, or commit in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to return information about emoji reactions to a comment made on a change, file, or commit in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to return information about comments made on the comparison between two commits in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to create a comment on the comparison between two commits in a CodeCommit repository. |
arn:aws:codecommit: |
|
| PostCommentReply |
Required to create a reply to a comment on a comparison between commits or on a pull request. |
arn:aws:codecommit: |
| PutCommentReaction |
Required to create or update an emoji reaction to a comment. |
arn:aws:codecommit: |
| UpdateComment |
Required to edit a comment on a comparison between commits or on a pull request. Comments can only be edited by the comment author. |
arn:aws:codecommit: |
Permissions for actions on committed code
The following permissions allow or deny actions on code committed to CodeCommit
repositories. These permissions pertain to actions performed with the CodeCommit console
and the CodeCommit API, and commands performed using the AWS CLI. They do not pertain to
similar actions that can be performed using the Git protocol. For example, the
git commit command creates a commit for a
branch in a repository using the Git protocol. It's not affected by any permissions
for the CodeCommit CreateCommit operation.
Explicitly denying some of these permissions might result in unexpected
consequences in the CodeCommit console. For example, setting GetTree to
Deny prevents users from navigating the contents of a repository in
the console, but does not block users from viewing the contents of a file in the
repository (if they are sent a link to the file in email, for example). Setting
GetBlob to Deny prevents users from viewing the
contents of files, but does not block users from browsing the structure of a
repository. Setting GetCommit to Deny prevents users from
retrieving details about commits. Setting GetObjectIdentifier to
Deny blocks most of the functionality of code browsing. If you set
all three of these actions to Deny in a policy, a user with that policy
cannot browse code in the CodeCommit console.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
BatchGetCommits |
Required to return information about one or more commits in a CodeCommit repository. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
| CreateCommit |
Required to create a commit. |
arn:aws:codecommit: |
|
Required to return information about a commit. |
arn:aws:codecommit: |
|
|
GetCommitHistory |
Required to return information about the history of commits in a repository. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
| GetDifferences |
Required to return information about the differences between commit specifiers (such as a branch, tag, HEAD, commit ID, or other fully qualified reference). |
arn:aws:codecommit: |
| GetObjectIdentifier | codecommit:GetObjectIdentifierRequired to resolve blobs, trees, and commits to their identifier. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
| GetReferences | codecommit:GetReferencesRequired to return all references, such as branches and tags. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
| GetTree | codecommit:GetTreeRequired to view the contents of a specified tree in a CodeCommit repository from the CodeCommit console. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
Permissions for actions on repositories
The following permissions allow or deny actions on CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
Required to get information about multiple CodeCommit repositories
in an Amazon Web Services account. In |
arn:aws:codecommit: |
|
|
Required to create a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to delete a CodeCommit repository. |
arn:aws:codecommit: |
|
| GetRepository |
Required to get information about a single CodeCommit repository. |
arn:aws:codecommit: |
| ListRepositories | codecommit:ListRepositoriesRequired to get a
list of the names and system IDs of multiple CodeCommit repositories
for an Amazon Web Services account. The only allowed value for
|
* |
| UpdateRepositoryDescription | codecommit:UpdateRepositoryDescriptionRequired to change the description of a CodeCommit repository. |
arn:aws:codecommit: |
| UpdateRepositoryName | codecommit:UpdateRepositoryNameRequired to
change the name of a CodeCommit repository. In |
arn:aws:codecommit: |
Permissions for actions on tags
The following permissions allow or deny actions on AWS tags for CodeCommit resources.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
Required to return information about AWS tags configured on a resource in CodeCommit. |
arn:aws:codecommit: |
|
|
Required to add or edit AWS tags for a resource in CodeCommit. |
arn:aws:codecommit: |
|
|
Required to remove AWS tags from a resource in CodeCommit. |
arn:aws:codecommit: |
Permissions for actions on triggers
The following permissions allow or deny actions on triggers for CodeCommit repositories.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
Required to return information about triggers configured for a repository. |
arn:aws:codecommit: |
|
|
Required to create, edit, or delete triggers for a repository. |
arn:aws:codecommit: |
|
|
Required to test the functionality of a repository trigger by sending data to the topic or function configured for the trigger. |
arn:aws:codecommit: |
Permissions for actions on CodePipeline integration
In order for CodePipeline to use a CodeCommit repository in a source action for a pipeline,
you must grant all of the permissions listed in the following table to the service
role for CodePipeline. If these permissions are not set in the service role or are set to
Deny, the pipeline does not run automatically when a
change is made to the repository, and changes cannot be released manually.
Use the scroll bars to see the rest of the table.
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
|---|---|---|
|
Required to get details about a branch in a CodeCommit repository. |
arn:aws:codecommit: |
|
|
Required to return information about a commit to the service role for CodePipeline. |
arn:aws:codecommit: |
|
|
UploadArchive |
Required to allow the service role for CodePipeline to upload repository changes into a pipeline. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
|
GetUploadArchiveStatus |
Required to determine the status of an archive upload: whether it is in progress, complete, cancelled, or if an error occurred. This is an IAM policy permission only, not an API action that you can call. |
arn:aws:codecommit: |
| CancelUploadArchive | codecommit:CancelUploadArchiveRequired to cancel the uploading of an archive to a pipeline. This is an IAM policy permission only, not an API action that can be called. |
arn:aws:codecommit: |
