# Identity and Access Management for AWS CodeCommit
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use CodeCommit resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [
## Audience
](#security_iam_audience)
+ [
## Authenticating with identities
](#security_iam_authentication)
+ [
## Managing access using policies
](#security_iam_access-manage)
+ [
# Authentication and access control for AWS CodeCommit
](auth-and-access-control.md)
+ [
# How AWS CodeCommit works with IAM
](security_iam_service-with-iam.md)
+ [
## CodeCommit resource-based policies
](#security_iam_service-with-iam-resource-based-policies)
+ [
## Authorization based on CodeCommit tags
](#security_iam_service-with-iam-tags)
+ [
## CodeCommit IAM roles
](#security_iam_service-with-iam-roles)
+ [
## AWS CodeCommit identity-based policy examples
](#security_iam_id-based-policy-examples)
+ [
## Troubleshooting AWS CodeCommit identity and access
](#security_iam_troubleshoot)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS CodeCommit identity and access](#security_iam_troubleshoot))
+ **Service administrator** - determine user access and submit permission requests (see [How AWS CodeCommit works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [AWS CodeCommit identity-based policy examples](#security_iam_id-based-policy-examples))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Access control lists (ACLs)
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# Authentication and access control for AWS CodeCommit
Access to AWS CodeCommit requires credentials. Those credentials must have permissions to access AWS resources, such as CodeCommit repositories, and your IAM user, which you use to manage your Git credentials or the SSH public key that you use for making Git connections. The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and CodeCommit to help secure access to your resources:
+ [Authentication](#authentication)
+ [Access control](#access-control)
## Authentication
Because CodeCommit repositories are Git-based and support the basic functionality of Git, including Git credentials, we recommend that you use an IAM user when working with CodeCommit. You can access CodeCommit with other identity types, but the other identity types are subject to limitations, as described below.
Identity types:
+ **IAM user** – An [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) is an identity within your Amazon Web Services account that has specific custom permissions. For example, an IAM user can have permissions to create and manage Git credentials for accessing CodeCommit repositories. **This is the recommended user type for working with CodeCommit.** You can use an IAM user name and password to sign in to secure AWS webpages like the [AWS Management Console](https://console.aws.amazon.com/), [AWS Discussion Forums](https://forums.aws.amazon.com/), or the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
You can generate Git credentials or associate SSH public keys with your IAM user, or you can install and configure **git-remote-codecommit**. These are the easiest ways to set up Git to work with your CodeCommit repositories. With [Git credentials](setting-up-gc.md), you generate a static user name and password in IAM. You then use these credentials for HTTPS connections with Git and any third-party tool that supports Git user name and password authentication. With SSH connections, you create public and private key files on your local machine that Git and CodeCommit use for SSH authentication. You associate the public key with your IAM user, and you store the private key on your local machine. **[git-remote-codecommit](setting-up-git-remote-codecommit.md)** extends Git itself, and does not require setting up Git credentials for the user.
In addition, you can generate [access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for each user. Use access keys when you access AWS services programmatically, either through [one of the AWS SDKs](https://aws.amazon.com/tools/) or by using the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/). The SDK and CLI tools use the access keys to cryptographically sign your requests. If you don’t use the AWS tools, you must sign the requests yourself. CodeCommit supports *Signature Version 4*, a protocol for authenticating inbound API requests. For more information about authenticating requests, see [Signature Version 4 Signing Process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) in the *AWS General Reference*.
+ **Amazon Web Services account root user** – When you sign up for AWS, you provide an email address and password that is associated with your Amazon Web Services account. These are your *root credentials*, and they provide complete access to all of your AWS resources. Some CodeCommit features are not available for root account users. In addition, the only way to use Git with your root account is to either install and configure **git-remote-codecommit** (recommended) or to configure the AWS credential helper, which is included with the AWS CLI. You cannot use Git credentials or SSH public-private key pairs with your root account user. For these reasons, we do not recommend using your root account user when interacting with CodeCommit.
**Important**
For security reasons, we recommend that you use the root credentials only to create an *administrator user*, which is an *IAM user* with full permissions to your AWS account. Then, you can use this administrator user to create other IAM users and roles with limited permissions. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) and [Creating an Admin User and Group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*.
+ **IAM Identity Center and users in IAM Identity Center** – AWS IAM Identity Center expands the capabilities of AWS Identity and Access Management to provide a central place that brings together administration of users and their access to AWS accounts and cloud applications. While recommended as a best practice for most users working with AWS, IAM Identity Center does not currently provide mechanisms for Git credentials or SSH key pairs. These users can install and configure **git-remote-codecommit** to locally clone CodeCommit repositories, but not all integrated development environments (IDEs) support cloning, pushing, or pulling with **git-remote-codecommit**.
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
+ **IAM role** – Like an IAM user, an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account to grant specific permissions.
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
**Note**
You cannot use Git credentials or SSH public-private key pairs with federated users. In addition, user preferences are not available for federated users. For information about how to set up connections using federated access, see [Setup steps for HTTPS connections to AWS CodeCommit with git-remote-codecommit](setting-up-git-remote-codecommit.md).
## Access control
You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access CodeCommit resources. For example, you must have permissions to view repositories, push code, create and manage Git credentials, and so on.
The following sections describe how to manage permissions for CodeCommit. We recommend that you read the overview first.
+ [Overview of managing access permissions to your CodeCommit resources](#auth-and-access-control-iam-access-control-identity-based)
+ [Using identity-based policies (IAM Policies) for CodeCommit](auth-and-access-control-iam-identity-based-access-control.md)
+ [CodeCommit permissions reference](auth-and-access-control-permissions-reference.md)
## Overview of managing access permissions to your CodeCommit resources
Every AWS resource is owned by an Amazon Web Services account. Permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). Some services, such as AWS Lambda, also support attaching permissions policies to resources.
**Note**
An *account administrator* (or administrator user) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
When granting permissions, you decide who gets the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.
**Topics**
+ [
### CodeCommit resources and operations
](#arn-formats)
+ [
### Understanding resource ownership
](#understanding-resource-ownership)
+ [
### Managing access to resources
](#managing-access-resources)
+ [
### Resource scoping in CodeCommit
](#resource-scoping)
+ [
### Specifying policy elements: resources, actions, effects, and principals
](#actions-effects-principals)
+ [
### Specifying conditions in a policy
](#policy-conditions)
### CodeCommit resources and operations
In CodeCommit, the primary resource is a repository. Each resource has a unique Amazon Resource Names (ARN) associated with it. In a policy, you use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. For more information about ARNs, see [Amazon Resource Names (ARN) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *Amazon Web Services General Reference*. CodeCommit does not currently support other resource types, which are referred to as subresources.
The following table describes how to specify CodeCommit resources.
| Resource Type | ARN Format |
| --- | --- |
| Repository | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| All CodeCommit repositories | arn:aws:codecommit:\$1 |
| All CodeCommit repositories owned by the specified account in the specified AWS Region | arn:aws:codecommit:*region*:*account-id*:\$1 |
**Note**
Most AWS services treat a colon (:) or a forward slash (/) in ARNs as the same character. However, CodeCommit requires an exact match in resource patterns and rules. When creating event patterns, be sure to use the correct ARN characters so that they match the ARN syntax in the resource.
For example, you can indicate a specific repository (*MyDemoRepo*) in your statement using its ARN as follows:
```
"Resource": "arn:aws:codecommit:us-west-2:111111111111:MyDemoRepo"
```
To specify all repositories that belong to a specific account, use the wildcard character (\$1) as follows:
```
"Resource": "arn:aws:codecommit:us-west-2:111111111111:*"
```
To specify all resources, or if a specific API action does not support ARNs, use the wildcard character (\$1) in the `Resource` element as follows:
```
"Resource": "*"
```
You can also use the wildcard character(\$1) to specify all resources that match part of a repository name. For example, the following ARN specifies any CodeCommit repository that begins with the name `MyDemo` and that is registered to the Amazon Web Services account `111111111111` in the `us-east-2` AWS Region:
```
arn:aws:codecommit:us-east-2:111111111111:MyDemo*
```
For a list of available operations that work with the CodeCommit resources, see [CodeCommit permissions reference](auth-and-access-control-permissions-reference.md).
### Understanding resource ownership
The Amazon Web Services account owns the resources that are created in the account, regardless of who created them. Specifically, the resource owner is the Amazon Web Services account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the root account, an IAM user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:
+ If you create an IAM user in your Amazon Web Services account and grant permissions to create CodeCommit resources to that user, the user can create CodeCommit resources. However, your Amazon Web Services account, to which the user belongs, owns the CodeCommit resources.
+ If you use the root account credentials of your Amazon Web Services account to create a rule, your Amazon Web Services account is the owner of the CodeCommit resource.
+ If you create an IAM role in your Amazon Web Services account with permissions to create CodeCommit resources, anyone who can assume the role can create CodeCommit resources. Your Amazon Web Services account, to which the role belongs, owns the CodeCommit resources.
### Managing access to resources
To manage access to AWS resources, you use permissions policies. A *permissions policy* describes who has access to what. The following section explains the options for creating permissions policies.
**Note**
This section discusses using IAM in the context of CodeCommit. It doesn't provide detailed information about the IAM service. For more information about IAM, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Permissions policies that are attached to an IAM identity are referred to as identity-based policies (IAM policies). Permissions policies that are attached to a resource are referred to as resource-based policies. Currently, CodeCommit supports only identity-based policies (IAM policies).
**Topics**
+ [
#### Identity-based policies (IAM policies)
](#identity-based-policies)
+ [
#### Resource-based policies
](#resource-based-policies-overview)
#### Identity-based policies (IAM policies)
To manage access to AWS resources, you attach permissions policies to IAM identities. In CodeCommit, you use identity-based policies to control access to repositories. For example, you can do the following:
+ **Attach a permissions policy to a user or a group in your account** – To grant a user permissions to view CodeCommit resources in the CodeCommit console, attach an identity-based permissions policy to a user or group that the user belongs to.
+ **Attach a permissions policy to a role (to grant cross-account permissions)** – Delegation, such as when you want to grant cross-account access, involves setting up a trust between the account that owns the resource (the trusting account), and the account that contains the users who need to access the resource (the trusted account). A permissions policy grants the user of a role the needed permissions to carry out the intended tasks on the resource. A trust policy specifies which trusted accounts are allowed to grant its users permissions to assume the role. For more information, see [IAM Terms and Concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html).
To grant cross-account permissions, attach an identity-based permissions policy to an IAM role. For example, the administrator in Account A can create a role to grant cross-account permissions to another Amazon Web Services account (for example, Account B) or an AWS service as follows:
1. Account A administrator creates an IAM role and attaches a permissions policy to the role that grants permissions on resources in Account A.
1. Account A administrator attaches a trust policy to the role identifying Account B as the principal who can assume the role.
1. Account B administrator can then delegate permissions to assume the role to any users in Account B. Doing this allows users in Account B to create or access resources in Account A. If you want to grant an AWS service permission to assume the role, the principal in the trust policy can also be an AWS service principal. For more information, see Delegation in [IAM Terms and Concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html).
For more information about using IAM to delegate permissions, see [Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html) in the *IAM User Guide*.
The following example policy allows a user to create a branch in a repository named *MyDemoRepo*:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"codecommit:CreateBranch"
],
"Resource" : "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo"
}
]
}
```
------
To restrict the calls and resources that users in your account have access to, create specific IAM policies, and then attach those policies to IAM users. For more information about how to create IAM roles and to explore example IAM policy statements for CodeCommit, see [Customer managed identity policy examples](customer-managed-policies.md#customer-managed-policies-identity).
#### Resource-based policies
Some services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a resource-based policy to an S3 bucket to manage access permissions to that bucket. CodeCommit doesn't support resource-based policies, but you can use tags to identify resources, which you can then use in IAM policies. For an example of a tag-based policy, see [Identity-based policies (IAM policies)](#identity-based-policies).
### Resource scoping in CodeCommit
In CodeCommit, you can scope identity-based policies and permissions to resources, as described in [CodeCommit resources and operations](#arn-formats). However, you cannot scope the `ListRepositories` permission to a resource. Instead, you must scope it to all resources (using the wildcard `*`). Otherwise, the action fails.
All other CodeCommit permissions can be scoped to resources.
### Specifying policy elements: resources, actions, effects, and principals
You can create policies to allow or deny users access to resources, or allow or deny users to take specific actions on those resources. CodeCommit defines a set of public API operations that define how users work with the service, whether that is through the CodeCommit console, the SDKs, the AWS CLI, or by directly calling those APIs. To grant permissions for these API operations, CodeCommit defines a set of actions that you can specify in a policy.
Some API operations can require permissions for more than one action. For more information about resources and API operations, see [CodeCommit resources and operations](#arn-formats) and [CodeCommit permissions reference](auth-and-access-control-permissions-reference.md).
The following are the basic elements of a policy:
+ **Resource** – To identify the resource that the policy applies to, you use an Amazon Resource Name (ARN). For more information, see [CodeCommit resources and operations](#arn-formats).
+ **Action** – To identify resource operations that you want to allow or deny, you use action keywords. For example, depending on the specified `Effect`, the `codecommit:GetBranch` permission either allows or denies the user to perform the `GetBranch` operation, which gets details about a branch in a CodeCommit repository.
+ **Effect** – You specify the effect, either allow or deny, that takes place when the user requests the specific action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the only type of policies that CodeCommit supports, the user that the policy is attached to is the implicit principal.
To learn more about IAM policy syntax, see [IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the CodeCommit API actions and the resources that they apply to, see [CodeCommit permissions reference](auth-and-access-control-permissions-reference.md).
### Specifying conditions in a policy
When you grant permissions, you use the access policy language for IAM to specify the conditions under which a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition) and [Policy Grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide*.
To express conditions, you use predefined condition keys. There are no condition keys specific to CodeCommit. However, there are AWS-wide condition keys that you can use as appropriate. For a complete list of AWS-wide keys, see [Available Keys for Conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
# Using identity-based policies (IAM Policies) for CodeCommit
The following examples of identity-based policies demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) to grant permissions to perform operations on CodeCommit resources.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your CodeCommit resources. For more information, see [Overview of managing access permissions to your CodeCommit resources](auth-and-access-control.md#auth-and-access-control-iam-access-control-identity-based).
**Topics**
+ [
## Permissions required to use the CodeCommit console
](#console-permissions)
+ [
## Viewing resources in the console
](#console-resources)
+ [
# AWS managed policies for CodeCommit
](security-iam-awsmanpol.md)
+ [
# Customer managed policy examples
](customer-managed-policies.md)
The following is an example of an identity-based permissions policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"codecommit:BatchGetRepositories"
],
"Resource" : [
"arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo",
"arn:aws:codecommit:us-east-2:111122223333:MyDemo*"
]
}
]
}
```
------
This policy has one statement that allows a user to get information about the CodeCommit repository named `MyDestinationRepo` and all CodeCommit repositories that start with the name `MyDemo` in the **us-east-2** Region.
## Permissions required to use the CodeCommit console
To see the required permissions for each CodeCommit API operation, and for more information about CodeCommit operations, see [CodeCommit permissions reference](auth-and-access-control-permissions-reference.md).
To allow users to use the CodeCommit console, the administrator must grant them permissions for CodeCommit actions. For example, you could attach the [AWSCodeCommitPowerUser](security-iam-awsmanpol.md#managed-policies-poweruser) managed policy or its equivalent to a user or group.
In addition to permissions granted to users by identity-based policies, CodeCommit requires permissions for AWS Key Management Service (AWS KMS) actions. An IAM user does not need explicit `Allow` permissions for these actions, but the user must not have any policies attached that set the following permissions to `Deny`:
```
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
```
For more information about encryption and CodeCommit, see [AWS KMS and encryption](encryption.md).
## Viewing resources in the console
The CodeCommit console requires the `ListRepositories` permission to display a list of repositories for your Amazon Web Services account in the AWS Region where you are signed in. The console also includes a **Go to resource** function to quickly perform a case insensitive search for resources. This search is performed in your Amazon Web Services account in the AWS Region where you are signed in. The following resources are displayed across the following services:
+ AWS CodeBuild: Build projects
+ AWS CodeCommit: Repositories
+ AWS CodeDeploy: Applications
+ AWS CodePipeline: Pipelines
To perform this search across resources in all services, you must have the following permissions:
+ CodeBuild: `ListProjects`
+ CodeCommit: `ListRepositories`
+ CodeDeploy: `ListApplications`
+ CodePipeline: `ListPipelines`
Results are not returned for a service's resources if you do not have permissions for that service. Even if you have permissions for viewing resources, specific resources will not be returned if there is an explicit `Deny` to view those resources.
# AWS managed policies for CodeCommit
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant required permissions for common use cases. The managed policies for CodeCommit also provide permissions to perform operations in other services, such as IAM, Amazon SNS, and Amazon CloudWatch Events, as required for the responsibilities for the users who have been granted the policy in question. For example, the AWSCodeCommitFullAccess policy is an administrative-level user policy that allows users with this policy to create and manage CloudWatch Events rules for repositories (rules whose names are prefixed with `codecommit`) and Amazon SNS topics for notifications about repository-related events (topics whose names are prefixed with `codecommit`), as well as administer repositories in CodeCommit.
The following AWS managed policies, which you can attach to users in your account, are specific to CodeCommit.
**Topics**
+ [
## AWS managed policy: AWSCodeCommitFullAccess
](#managed-policies-full)
+ [
## AWS managed policy: AWSCodeCommitPowerUser
](#managed-policies-poweruser)
+ [
## AWS managed policy: AWSCodeCommitReadOnly
](#managed-policies-read)
+ [
## CodeCommit managed policies and notifications
](#notifications-permissions)
+ [
## AWS CodeCommit managed policies and Amazon CodeGuru Reviewer
](#codeguru-permissions)
+ [
## CodeCommit updates to AWS managed policies
](#security-iam-awsmanpol-updates)
## AWS managed policy: AWSCodeCommitFullAccess
You can attach the `AWSCodeCommitFullAccess` policy to your IAM identities. This policy grants full access to CodeCommit. Apply this policy only to administrative-level users to whom you want to grant full control over CodeCommit repositories and related resources in your Amazon Web Services account, including the ability to delete repositories.
The AWSCodeCommitFullAccess policy contains the following policy statement:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:*"
],
"Resource": "*"
},
{
"Sid": "CloudWatchEventsCodeCommitRulesAccess",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:ListTargetsByRule"
],
"Resource": "arn:aws:events:*:*:rule/codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionReadAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes"
],
"Resource": "*"
},
{
"Sid": "LambdaReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyConsoleAccess",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMUserSSHKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMSelfManageServiceSpecificCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
}
]
}
```
------
## AWS managed policy: AWSCodeCommitPowerUser
You can attach the `AWSCodeCommitPowerUser` policy to your IAM identities. This policy allows users access to all of the functionality of CodeCommit and repository-related resources, except it does not allow them to delete CodeCommit repositories or create or delete repository-related resources in other AWS services, such as Amazon CloudWatch Events. We recommend that you apply this policy to most users.
The AWSCodeCommitPowerUser policy contains the following policy statement:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:AssociateApprovalRuleTemplateWithRepository",
"codecommit:BatchAssociateApprovalRuleTemplateWithRepositories",
"codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories",
"codecommit:BatchGet*",
"codecommit:BatchDescribe*",
"codecommit:Create*",
"codecommit:DeleteBranch",
"codecommit:DeleteFile",
"codecommit:Describe*",
"codecommit:DisassociateApprovalRuleTemplateFromRepository",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:Get*",
"codecommit:List*",
"codecommit:Merge*",
"codecommit:OverridePullRequestApprovalRules",
"codecommit:Put*",
"codecommit:Post*",
"codecommit:TagResource",
"codecommit:Test*",
"codecommit:UntagResource",
"codecommit:Update*",
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": "*"
},
{
"Sid": "CloudWatchEventsCodeCommitRulesAccess",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"events:ListTargetsByRule"
],
"Resource": "arn:aws:events:*:*:rule/codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionAccess",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:Unsubscribe"
],
"Resource": "arn:aws:sns:*:*:codecommit*"
},
{
"Sid": "SNSTopicAndSubscriptionReadAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes"
],
"Resource": "*"
},
{
"Sid": "LambdaReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyListAccess",
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "IAMReadOnlyConsoleAccess",
"Effect": "Allow",
"Action": [
"iam:ListAccessKeys",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMUserSSHKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "IAMSelfManageServiceSpecificCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
}
]
}
```
------
## AWS managed policy: AWSCodeCommitReadOnly
You can attach the `AWSCodeCommitReadOnly` policy to your IAM identities. This policy grants read-only access to CodeCommit and repository-related resources in other AWS services, as well as the ability to create and manage their own CodeCommit-related resources (such as Git credentials and SSH keys for their IAM user to use when accessing repositories). Apply this policy to users to whom you want to grant the ability to read the contents of a repository, but not make any changes to its contents.
The AWSCodeCommitReadOnly policy contains the following policy statement:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"codecommit:BatchGet*",
"codecommit:BatchDescribe*",
"codecommit:Describe*",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:Get*",
"codecommit:List*",
"codecommit:GitPull"
],
"Resource":"*"
},
{
"Sid":"CloudWatchEventsCodeCommitRulesReadOnlyAccess",
"Effect":"Allow",
"Action":[
"events:DescribeRule",
"events:ListTargetsByRule"
],
"Resource":"arn:aws:events:*:*:rule/codecommit*"
},
{
"Sid":"SNSSubscriptionAccess",
"Effect":"Allow",
"Action":[
"sns:ListTopics",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes"
],
"Resource":"*"
},
{
"Sid":"LambdaReadOnlyListAccess",
"Effect":"Allow",
"Action":[
"lambda:ListFunctions"
],
"Resource":"*"
},
{
"Sid":"IAMReadOnlyListAccess",
"Effect":"Allow",
"Action":[
"iam:ListUsers"
],
"Resource":"*"
},
{
"Sid":"IAMReadOnlyConsoleAccess",
"Effect":"Allow",
"Action":[
"iam:ListAccessKeys",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:GetSSHPublicKey"
],
"Resource":"arn:aws:iam::*:user/${aws:username}"
},
{
"Sid":"CodeStarNotificationsReadOnlyAccess",
"Effect":"Allow",
"Action":[
"codestar-notifications:DescribeNotificationRule"
],
"Resource":"*",
"Condition":{
"ArnLike":{
"codestar-notifications:NotificationsForResource":"arn:aws:codecommit:us-east-2:111122223333:*"
}
}
},
{
"Sid":"CodeStarNotificationsListAccess",
"Effect":"Allow",
"Action":[
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource":"*"
},
{
"Sid": "AmazonCodeGuruReviewerReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": "arn:aws:codestar-connections:*:*:connection/*"
}
]
}
```
------
## CodeCommit managed policies and notifications
AWS CodeCommit supports notifications, which can notify users of important changes to repositories. Managed policies for CodeCommit include policy statements for notification functionality. For more information, see [What are notifications?](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/welcome.html).
### Permissions related to notifications in full access managed policies
The `AWSCodeCommitFullAccess` managed policy includes the following statements to allow full access to notifications. Users with this managed policy applied can also create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users to topics, list topics to choose as targets for notification rules, and list Amazon Q Developer in chat applications clients configured for Slack.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource,"
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
### Permissions related to notifications in read-only managed policies
The `AWSCodeCommitReadOnlyAccess` managed policy includes the following statements to allow read-only access to notifications. Users with this managed policy applied can view notifications for resources, but cannot create, manage, or subscribe to them.
```
{
"Sid": "CodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource": "*"
}
```
### Permissions related to notifications in other managed policies
The `AWSCodeCommitPowerUser` managed policy includes the following statements to allow users to create, edit, and subscribe to notifications. Users cannot delete notification rules or manage tags for resources.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
For more information about IAM and notifications, see [Identity and Access Management for AWS CodeStar Notifications](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security-iam.html).
## AWS CodeCommit managed policies and Amazon CodeGuru Reviewer
CodeCommit supports Amazon CodeGuru Reviewer, an automated code review service that uses program analysis and machine learning to detect common issues and recommend fixes in your Java or Python code. Managed policies for CodeCommit include policy statements for CodeGuru Reviewer functionality. For more information, see [What Is Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/welcome.html).
### Permissions related to CodeGuru Reviewer in AWSCodeCommitFullAccess
The `AWSCodeCommitFullAccess` managed policy includes the following statements to allow CodeGuru Reviewer to be associated and disassociated with CodeCommit repositories. Users with this managed policy applied can also view the association status between CodeCommit repositories and CodeGuru Reviewer and view the status of review jobs for pull requests.
```
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
}
```
### Permissions related to CodeGuru Reviewer in AWSCodeCommitPowerUser
The `AWSCodeCommitPowerUser` managed policy includes the following statements to allow users to associate and disassociate repositories with CodeGuru Reviewer, view association status, and view the status of review jobs for pull requests.
```
{
"Sid": "AmazonCodeGuruReviewerFullAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:AssociateRepository",
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DisassociateRepository",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
},
{
"Sid": "AmazonCodeGuruReviewerSLRCreation",
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchEventsManagedRules",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:PutTargets",
"events:DeleteRule",
"events:RemoveTargets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"events:ManagedBy": "codeguru-reviewer.amazonaws.com"
}
}
}
```
### Permissions related to CodeGuru Reviewer in AWSCodeCommitReadOnly
The `AWSCodeCommitReadOnlyAccess` managed policy includes the following statements to allow read-only access to CodeGuru Reviewer association status and view the status of review jobs for pull requests. Users with this managed policy applied cannot associate or disassociate repositories.
```
{
"Sid": "AmazonCodeGuruReviewerReadOnlyAccess",
"Effect": "Allow",
"Action": [
"codeguru-reviewer:DescribeRepositoryAssociation",
"codeguru-reviewer:ListRepositoryAssociations",
"codeguru-reviewer:DescribeCodeReview",
"codeguru-reviewer:ListCodeReviews"
],
"Resource": "*"
}
```
### Amazon CodeGuru Reviewer service-linked role
When you associate a repository with CodeGuru Reviewer, a service-linked role is created so that CodeGuru Reviewer can detect issues and recommend fixes for Java or Python code in pull requests. The service-linked role is named AWSServiceRoleForAmazonCodeGuruReviewer. For more information, see [Using Service-Linked Roles for Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/using-service-linked-roles.html).
For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## CodeCommit updates to AWS managed policies
View details about updates to AWS managed policies for CodeCommit since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on [AWS CodeCommit User Guide document history](history.md).
| Change | Description | Date |
| --- | --- | --- |
| [AWS managed policy: AWSCodeCommitFullAccess](#managed-policies-full) and [AWS managed policy: AWSCodeCommitPowerUser](#managed-policies-poweruser) – Update to existing policies | CodeCommit added a permission to these policies to support an additional notification type using Amazon Q Developer in chat applications. The AWSCodeCommitPowerUser and AWSCodeCommitFullAccess policies have been changed to add a permission, `chatbot:ListMicrosoftTeamsChannelConfigurations`. | May 16, 2023 |
| [AWS managed policy: AWSCodeCommitReadOnly](#managed-policies-read) – Update to an existing policy | CodeCommit removed a duplicate permission from the policy. The AWSCodeCommitReadOnly has been changed to remove a duplicate permission, `"iam:ListAccessKeys"`. | August 18, 2021 |
| CodeCommit started tracking changes | CodeCommit started tracking changes for its AWS managed policies. | August 18, 2021 |
# Customer managed policy examples
You can create your own custom IAM policies to allow permissions for CodeCommit actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. You can also create your own custom IAM policies for integration between CodeCommit and other AWS services.
**Topics**
+ [
## Customer managed identity policy examples
](#customer-managed-policies-identity)
## Customer managed identity policy examples
The following example IAM policies grant permissions for various CodeCommit actions. Use them to limit CodeCommit access for your IAM users and roles. These policies control the ability to perform actions with the CodeCommit console, API, AWS SDKs, or the AWS CLI.
**Note**
All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.
**Examples**
+ [Example 1: Allow a user to perform CodeCommit operations in a single AWS Region](#identity-based-policies-example-1)
+ [Example 2: Allow a user to use Git for a single repository](#identity-based-policies-example-2)
+ [Example 3: Allow a user connecting from a specified IP address range access to a repository](#identity-based-policies-example-3)
+ [Example 4: Deny or allow actions on branches](#identity-based-policies-example-4)
+ [Example 5: Deny or allow actions on repositories with tags](#identity-based-policies-example-5)
### Example 1: Allow a user to perform CodeCommit operations in a single AWS Region
The following permissions policy uses a wildcard character (`"codecommit:*"`) to allow users to perform all CodeCommit actions in the us-east-2 Region and not from other AWS Regions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codecommit:*",
"Resource": "arn:aws:codecommit:us-east-2:111111111111:*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-2"
}
}
},
{
"Effect": "Allow",
"Action": "codecommit:ListRepositories",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-2"
}
}
}
]
}
```
------
### Example 2: Allow a user to use Git for a single repository
In CodeCommit, the `GitPull` IAM policy permissions apply to any Git client command where data is retrieved from CodeCommit, including **git fetch**, **git clone**, and so on. Similarly, the `GitPush` IAM policy permissions apply to any Git client command where data is sent to CodeCommit. For example, if the `GitPush` IAM policy permission is set to `Allow`, a user can push the deletion of a branch using the Git protocol. That push is unaffected by any permissions applied to the `DeleteBranch` operation for that IAM user. The `DeleteBranch` permission applies to actions performed with the console, the AWS CLI, the SDKs, and the API, but not the Git protocol.
The following example allows the specified user to pull from, and push to, the CodeCommit repository named `MyDemoRepo`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource" : "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo"
}
]
}
```
------
### Example 3: Allow a user connecting from a specified IP address range access to a repository
You can create a policy that only allows users to connect to a CodeCommit repository if their IP address is within a certain IP address range. There are two equally valid approaches to this. You can create a `Deny` policy that disallows CodeCommit operations if the IP address for the user is not within a specific block, or you can create an `Allow` policy that allows CodeCommit operations if the IP address for the user is within a specific block.
You can create a `Deny` policy that denies access to all users who are not within a certain IP range. For example, you could attach the AWSCodeCommitPowerUser managed policy and a customer-managed policy to all users who require access to your repository. The following example policy denies all CodeCommit permissions to users whose IP addresses are not within the specified IP address block of 203.0.113.0/16:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:*"
],
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"203.0.113.0/16"
]
}
}
}
]
}
```
------
The following example policy allows the specified user to access a CodeCommit repository named MyDemoRepo with the equivalent permissions of the AWSCodeCommitPowerUser managed policy only if their IP address is within the specified address block of 203.0.113.0/16:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:BatchGetRepositories",
"codecommit:CreateBranch",
"codecommit:CreateRepository",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:List*",
"codecommit:Put*",
"codecommit:Post*",
"codecommit:Merge*",
"codecommit:TagResource",
"codecommit:Test*",
"codecommit:UntagResource",
"codecommit:Update*"
],
"Resource": "arn:aws:codecommit:us-east-2:111122223333:MyDemoRepo",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"203.0.113.0/16"
]
}
}
}
]
}
```
------
### Example 4: Deny or allow actions on branches
You can create a policy that denies users permissions to actions you specify on one or more branches. Alternatively, you can create a policy that allows actions on one or more branches that they might not otherwise have in other branches of a repository. You can use these policies with the appropriate managed (predefined) policies. For more information, see [Limit pushes and merges to branches in AWS CodeCommit](how-to-conditional-branch.md).
For example, you can create a `Deny` policy that denies users the ability to make changes to a branch named main, including deleting that branch, in a repository named *MyDemoRepo*. You can use this policy with the **AWSCodeCommitPowerUser** managed policy. Users with these two policies applied would be able to create and delete branches, create pull requests, and all other actions as allowed by **AWSCodeCommitPowerUser**, but they would not be able to push changes to the branch named *main*, add or edit a file in the *main* branch in the CodeCommit console, or merge branches or a pull request into the *main* branch. Because `Deny` is applied to `GitPush`, you must include a `Null` statement in the policy, to allow initial `GitPush` calls to be analyzed for validity when users make pushes from their local repos.
**Tip**
If you want to create a policy that applies to all branches named *main* in all repositories in your Amazon Web Services account, for `Resource`, specify an asterisk ( `*` ) instead of a repository ARN.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:Merge*"
],
"Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/main"
]
},
"Null": {
"codecommit:References": "false"
}
}
}
]
}
```
------
The following example policy allows a user to make changes to a branch named main in all repositories in an Amazon Web Services account. It does not allow changes to any other branches. You might use this policy with the AWSCodeCommitReadOnly managed policy to allow automated pushes to the repository in the main branch. Because the Effect is `Allow`, this example policy would not work with managed policies such as AWSCodeCommitPowerUser.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:GitPush",
"codecommit:Merge*"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/main"
]
}
}
}
]
}
```
------
### Example 5: Deny or allow actions on repositories with tags
You can create a policy that allows or denies actions on repositories based on the AWS tags associated with those repositories, and then apply those policies to the IAM groups you configure for managing IAM users. For example, you can create a policy that denies all CodeCommit actions on any repositories with the AWS tag key *Status* and the key value of *Secret*, and then apply that policy to the IAM group you created for general developers (*Developers*). You then need to make sure that the developers working on those tagged repositories are not members of that general *Developers* group, but belong instead to a different IAM group that does not have the restrictive policy applied (*SecretDevelopers*).
The following example denies all CodeCommit actions on repositories tagged with the key *Status* and the key value of *Secret*:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:Associate*",
"codecommit:Batch*",
"codecommit:CancelUploadArchive",
"codecommit:CreateBranch",
"codecommit:CreateCommit",
"codecommit:CreatePullRequest*",
"codecommit:CreateRepository",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DeleteBranch",
"codecommit:DeleteCommentContent",
"codecommit:DeleteFile",
"codecommit:DeletePullRequest*",
"codecommit:DeleteRepository",
"codecommit:Describe*",
"codecommit:DisassociateApprovalRuleTemplateFromRepository",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:GetBlob",
"codecommit:GetBranch",
"codecommit:GetComment*",
"codecommit:GetCommit",
"codecommit:GetDifferences*",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetMerge*",
"codecommit:GetObjectIdentifier",
"codecommit:GetPullRequest*",
"codecommit:GetReferences",
"codecommit:GetRepository*",
"codecommit:GetTree",
"codecommit:GetUploadArchiveStatus",
"codecommit:Git*",
"codecommit:ListAssociatedApprovalRuleTemplatesForRepository",
"codecommit:ListBranches",
"codecommit:ListPullRequests",
"codecommit:ListTagsForResource",
"codecommit:Merge*",
"codecommit:OverridePullRequestApprovalRules",
"codecommit:Post*",
"codecommit:Put*",
"codecommit:TagResource",
"codecommit:TestRepositoryTriggers",
"codecommit:UntagResource",
"codecommit:UpdateComment",
"codecommit:UpdateDefaultBranch",
"codecommit:UpdatePullRequest*",
"codecommit:UpdateRepository*",
"codecommit:UploadArchive"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Status": "Secret"
}
}
}
]
}
```
------
You can further refine this strategy by specifying specific repositories, rather than all repositories, as resources. You can also create policies that allow CodeCommit actions on all repositories that are not tagged with specific tags. For example, the following policy allows the equivalent of **AWSCodeCommitPowerUser** permissions for CodeCommit actions, except that it only allows CodeCommit actions on repositories not tagged with the specified tags:
**Note**
This policy example only includes actions for CodeCommit. It does not include actions for other AWS services that are included in the **AWSCodeCommitPowerUser** managed policy. For more information, see .[AWS managed policy: AWSCodeCommitPowerUser](security-iam-awsmanpol.md#managed-policies-poweruser).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:Associate*",
"codecommit:Batch*",
"codecommit:CancelUploadArchive",
"codecommit:CreateBranch",
"codecommit:CreateCommit",
"codecommit:CreatePullRequest*",
"codecommit:CreateRepository",
"codecommit:CreateUnreferencedMergeCommit",
"codecommit:DeleteBranch",
"codecommit:DeleteCommentContent",
"codecommit:DeleteFile",
"codecommit:DeletePullRequest*",
"codecommit:Describe*",
"codecommit:DisassociateApprovalRuleTemplateFromRepository",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:GetBlob",
"codecommit:GetBranch",
"codecommit:GetComment*",
"codecommit:GetCommit",
"codecommit:GetDifferences*",
"codecommit:GetFile",
"codecommit:GetFolder",
"codecommit:GetMerge*",
"codecommit:GetObjectIdentifier",
"codecommit:GetPullRequest*",
"codecommit:GetReferences",
"codecommit:GetRepository*",
"codecommit:GetTree",
"codecommit:GetUploadArchiveStatus",
"codecommit:Git*",
"codecommit:ListAssociatedApprovalRuleTemplatesForRepository",
"codecommit:ListBranches",
"codecommit:ListPullRequests",
"codecommit:ListTagsForResource",
"codecommit:Merge*",
"codecommit:OverridePullRequestApprovalRules",
"codecommit:Post*",
"codecommit:Put*",
"codecommit:TagResource",
"codecommit:TestRepositoryTriggers",
"codecommit:UntagResource",
"codecommit:UpdateComment",
"codecommit:UpdateDefaultBranch",
"codecommit:UpdatePullRequest*",
"codecommit:UpdateRepository*",
"codecommit:UploadArchive"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/Status": "Secret",
"aws:ResourceTag/Team": "Saanvi"
}
}
},
{
"Effect": "Allow",
"Action": [
"codecommit:CreateApprovalRuleTemplate",
"codecommit:GetApprovalRuleTemplate",
"codecommit:ListApprovalRuleTemplates",
"codecommit:ListRepositories",
"codecommit:ListRepositoriesForApprovalRuleTemplate",
"codecommit:UpdateApprovalRuleTemplateContent",
"codecommit:UpdateApprovalRuleTemplateDescription",
"codecommit:UpdateApprovalRuleTemplateName"
],
"Resource": "*"
}
]
}
```
------
# CodeCommit permissions reference
The following tables list each CodeCommit API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The CodeCommit APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when setting up [Access control](auth-and-access-control.md#access-control) and writing permissions policies that you can attach to an IAM identity (identity-based policies).
When you create a permissions policy, you specify the actions in the policy's `Action` field. You specify the resource value in the policy's `Resource` field as an ARN, with or without a wildcard character (\$1).
To express conditions in your CodeCommit policies, use AWS-wide condition keys. For a complete list of AWS-wide keys, see [Available Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*. For complete information about actions, resources, and condition keys for CodeCommit in IAM policies, see [Actions, resources, and condition keys for AWS CodeCommit](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html).
**Note**
To specify an action, use the `codecommit:` prefix followed by the API operation name (for example, `codecommit:GetRepository` or `codecommit:CreateRepository`.
**Using Wildcards **
To specify multiple actions or resources, use a wildcard character (\$1) in your ARN. For example, `codecommit:*` specifies all CodeCommit actions and `codecommit:Get*` specifies all CodeCommit actions that begin with the word `Get`. The following example grants access to all repositories with names that begin with `MyDemo`.
```
arn:aws:codecommit:us-west-2:111111111111:MyDemo*
```
You can use wildcards only with the *repository-name* resources listed in the following table. You can't use wildcards with *region* or *account-id* resources. For more information about wildcards, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in *IAM User Guide*.
**Topics**
+ [
## Required permissions for Git client commands
](#aa-git)
+ [
## Permissions for actions on branches
](#aa-branches)
+ [
## Permissions for actions on merges
](#aa-merges)
+ [
## Permissions for actions on pull requests
](#aa-pr)
+ [
## Permissions for actions on approval rule templates
](#aa-art)
+ [
## Permissions for actions on individual files
](#aa-files)
+ [
## Permissions for actions on comments
](#aa-comments)
+ [
## Permissions for actions on committed code
](#aa-code)
+ [
## Permissions for actions on repositories
](#aa-repositories)
+ [
## Permissions for actions on tags
](#aa-tags)
+ [
## Permissions for actions on triggers
](#aa-triggers)
+ [
## Permissions for actions on CodePipeline integration
](#aa-acp)
## Required permissions for Git client commands
In CodeCommit, the `GitPull` IAM policy permissions apply to any Git client command where data is retrieved from CodeCommit, including **git fetch**, **git clone**, and so on. Similarly, the `GitPush` IAM policy permissions apply to any Git client command where data is sent to CodeCommit. For example, if the `GitPush` IAM policy permission is set to `Allow`, a user can push the deletion of a branch using the Git protocol. That push is unaffected by any permissions applied to the `DeleteBranch` operation for that IAM user. The `DeleteBranch` permission applies to actions performed with the console, the AWS CLI, the SDKs, and the API, but not the Git protocol.
`GitPull` and `GitPush` are IAM policy permissions. They are not API actions.
Use the scroll bars to see the rest of the table.
**CodeCommit Required Permissions for Actions for Git Client Commands**
| CodeCommit Permissions for Git | Required Permissions | Resources |
| --- | --- | --- |
| GitPull | `codecommit:GitPull` Required to pull information from a CodeCommit repository to a local repo. This is an IAM policy permission only, not an API action. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GitPush | `codecommit:GitPush` Required to push information from a local repo to a CodeCommit repository. This is an IAM policy permission only, not an API action. If you create a policy that includes a context key and a `Deny` statement that includes this permission, you must also include a `Null` context. For more information, see [Limit pushes and merges to branches in AWS CodeCommit](how-to-conditional-branch.md). | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on branches
The following permissions allow or deny actions on branches in CodeCommit repositories. These permissions pertain only to actions performed in the CodeCommit console and with the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For example, the **git show-branch -r** command displays a list of remote branches for a repository and its commits using the Git protocol. It's not affected by any permissions for the CodeCommit `ListBranches` operation.
For more information about policies for branches, see [Limit pushes and merges to branches in AWS CodeCommit](how-to-conditional-branch.md) and [Customer managed policy examples](customer-managed-policies.md).
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Branches**
| CodeCommit API Operations for Branches | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [CreateBranch](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_CreateBranch.html) | `codecommit:CreateBranch` Required to create a branch in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [DeleteBranch](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DeleteBranch.html) | `codecommit:DeleteBranch` Required to delete a branch from a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetBranch](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetBranch.html) | `codecommit:GetBranch` Required to get details about a branch in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [ListBranches](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListBranches.html) | `codecommit:ListBranches` Required to get a list of branches in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [MergeBranchesByFastForward](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_MergeBranchesByFastForward.html) | `codecommit:MergeBranchesByFastForward` Required to merge two branches using the fast-forward merge strategy in a CodeCommit repository. | arn:aws:codecommit:region:account-id:repository-name |
| [MergeBranchesBySquash](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_MergeBranchesBySquash.html) | `codecommit:MergeBranchesBySquash` Required to merge two branches using the squash merge strategy in a CodeCommit repository. | arn:aws:codecommit:region:account-id:repository-name |
| [MergeBranchesByThreeWay](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_MergeBranchesByThreeWay.html) | `codecommit:MergeBranchesByThreeWay` Required to merge two branches using the three-way merge strategy in a CodeCommit repository. | arn:aws:codecommit:region:account-id:repository-name |
| [UpdateDefaultBranch](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateDefaultBranch.html) | codecommit:UpdateDefaultBranchRequired to change the default branch in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on merges
The following permissions allow or deny actions on merges in CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For related permissions on branches, see [Permissions for actions on branches](#aa-branches). For related permissions on pull requests, see [Permissions for actions on pull requests](#aa-pr).
Use the scroll bars to see the rest of the table.
**CodeCommit Required Permissions for Actions for Merge Commands**
| CodeCommit Permissions for Merges | Required Permissions | Resources |
| --- | --- | --- |
| [BatchDescribeMergeConflicts](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_BatchDescribeMergeConflicts.html) | `codecommit:BatchDescribeMergeConflicts` Required to return information about conflicts in a merge between commits in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [CreateUnreferencedMergeCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_CreateUnreferencedMergeCommit.html) | `codecommit:CreateUnreferencedMergeCommit` Required to create an unreferenced commit between two branches or commits in a CodeCommit repository for the purpose of comparing them and identifying any potential conflicts. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [DescribeMergeConflicts](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DescribeMergeConflicts.html) | `codecommit:DescribeMergeConflicts` Required to return information about merge conflicts between the base, source, and destination versions of a file in a potential merge in an CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetMergeCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetMergeCommit.html) | `codecommit:GetMergeCommit` Required to return information about the merge between a source and destination commit in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetMergeOptions](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetMergeOptions.html) | `codecommit:GetMergeOptions` Required to return information about the available merge options between two branches or commit specifiers in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on pull requests
The following permissions allow or deny actions on pull requests in CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For related permissions on comments, see [Permissions for actions on comments](#aa-comments).
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Pull Requests**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| BatchGetPullRequests | `codecommit:BatchGetPullRequests` Required to return information about one or more pull requests in a CodeCommit repository. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [CreatePullRequest](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_CreatePullRequest.html) | `codecommit:CreatePullRequest` Required to create a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [CreatePullRequestApprovalRule](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_CreatePullRequestApprovalRule.html) | `codecommit:CreatePullRequestApprovalRule` Required to create an approval rule for a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [DeletePullRequestApprovalRule](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DeletePullRequestApprovalRule.html) | `codecommit:DeletePullRequestApprovalRule` Required to delete an approval rule for a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [DescribePullRequestEvents](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DescribePullRequestEvents.html) | Required to return information about one or more pull request events in a CodeCommit repository. | arn:aws:codecommit:region:account-id:repository-name |
| [EvaluatePullRequestApprovalRules](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_EvaluatePullRequestApprovalRules.html) | `codecommit:EvaluatePullRequestApprovalRules` Required to evaluate whether a pull request has met all the conditions specified in its associated approval rules in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetCommentsForPullRequest](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetCommentsForPullRequest.html) | `codecommit:GetCommentsForPullRequest` Required to return comments made on a pull request. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GetCommitsFromMergeBase | `codecommit:GetCommitsFromMergeBase` Required to return information about the difference between commits in the context of a potential merge. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetMergeConflicts](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetMergeConflicts.html) | `codecommit:GetMergeConflicts` Required to return information about merge conflicts between the source and destination branch in a pull request. | arn:aws:codecommit:region:account-id:repository-name |
| [GetPullRequest](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetPullRequest.html) | `codecommit:GetPullRequest` Required to return information about a pull request. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetPullRequestApprovalStates](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetPullRequestApprovalStates.html) | `codecommit:GetPullRequestApprovalStates` Required to return information about the approval states for a specified pull request. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetPullRequestOverrideState](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetPullRequestOverrideState.html) | `codecommit:GetPullRequestOverrideState` Required to return information about whether approval rules have been set aside (overridden) for a pull request, and if so, the Amazon Resource Name (ARN) of the user or identity that overrode the rules and their requirements for the pull request. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [ListPullRequests](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListPullRequests.html) | `codecommit:ListPullRequests` Required to return information about the pull requests for a repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [MergePullRequestByFastForward](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_MergePullRequestByFastForward.html) | codecommit:MergePullRequestByFastForwardRequired to close a pull request and attempt to merge the source branch into the destination branch of a pull request using the fast-forward merge strategy. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [MergePullRequestBySquash](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_MergePullRequestBySquash.html) | codecommit:MergePullRequestBySquashRequired to close a pull request and attempt to merge the source branch into the destination branch of a pull request using the squash merge strategy. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [MergePullRequestByThreeWay](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_MergePullRequestByThreeWay.html) | codecommit:MergePullRequestByThreeWayRequired to close a pull request and attempt to merge the source branch into the destination branch of a pull request using the three-way merge strategy. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [OverridePullRequestApprovalRules](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_OverridePullRequestApprovalRules.html) | codecommit:OverridePullRequestApprovalRules Required to set aside all approval rule requirements for a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [PostCommentForPullRequest](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PostCommentForPullRequest.html) | codecommit:PostCommentForPullRequest Required to post a comment on a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdatePullRequestApprovalRuleContent](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdatePullRequestApprovalRuleContent.html) | codecommit:UpdatePullRequestApprovalRuleContent Required to change the structure of an approval rule for a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdatePullRequestApprovalState](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdatePullRequestApprovalState.html) | codecommit:UpdatePullRequestApprovalState Required to change the state of an approval on a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdatePullRequestDescription](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdatePullRequestDescription.html) | codecommit:UpdatePullRequestDescription Required to change the description of a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdatePullRequestStatus](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdatePullRequestStatus.html) | codecommit:UpdatePullRequestStatus Required to change the status of a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdatePullRequestTitle](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdatePullRequestTitle.html) | codecommit:UpdatePullRequestTitle Required to change the title of a pull request in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on approval rule templates
The following permissions allow or deny actions on approval rule templates in CodeCommit repositories. These permissions pertain only to actions performed in the CodeCommit console, the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For related permissions on pull requests, see [Permissions for actions on pull requests](#aa-pr).
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Approval Rule Templates**
| CodeCommit API Operations for Approval Rule Templates | Required Permissions | Resources |
| --- | --- | --- |
| [AssociateApprovalRuleTemplateWithRepository](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_AssociateApprovalRuleTemplateWithRepository.html) | `codecommit:AssociateApprovalRuleTemplateWithRepository` Required to associate a template with a specified repository in an Amazon Web Services account. Once associated, this automatically creates approval rules that match the template conditions on every pull request created in the specified repository. | \$1 |
| [BatchAssociateApprovalRuleTemplateWithRepositories](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_BatchAssociateApprovalRuleTemplateWithRepositories.html) | `codecommit:BatchAssociateApprovalRuleTemplateWithRepositories` Required to associate a template with one or more specified repositories in an Amazon Web Services account. | \$1 |
| [BatchDisassociateApprovalRuleTemplateFromRepositories](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_BatchDisassociateApprovalRuleTemplateFromRepositories.html) | `codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories` Required to disassociate a template from one or more specified repositories in an Amazon Web Services account. | \$1 |
| [CreateApprovalRuleTemplate](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_CreateApprovalRuleTemplate.html) | `codecommit:CreateApprovalRuleTemplate` Required to create a template for approval rules that can then be associated with one or more repositories in your AWS account. | \$1 |
| [DeleteApprovalRuleTemplate](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DeleteApprovalRuleTemplate.html) | `codecommit:DeleteApprovalRuleTemplate` Required to delete the specified template in an Amazon Web Services account. It does not remove approval rules on pull requests already created with the template. | \$1 |
| [DisassociateApprovalRuleTemplateFromRepository](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DisassociateApprovalRuleTemplateFromRepository.html) | `codecommit:DisassociateApprovalRuleTemplateFromRepository` Required to disassociate the specified template from a repository in an Amazon Web Services account. It does not remove approval rules on pull requests already created with the template. | \$1 |
| [GetApprovalRuleTemplate](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetApprovalRuleTemplate.html) | `codecommit:GetApprovalRuleTemplate` Required to return information about an approval rule template in an Amazon Web Services account. | \$1 |
| [ListApprovalRuleTemplates](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListApprovalRuleTemplates.html) | `codecommit:ListApprovalRuleTemplates` Required to list approval rule templates in an Amazon Web Services account. | \$1 |
| [ListAssociatedApprovalRuleTemplatesForRepository](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListAssociatedApprovalRuleTemplatesForRepository.html) | `codecommit:ListAssociatedApprovalRuleTemplatesForRepository` Required to list all approval rule templates that are associated with a specified repository in an Amazon Web Services account. | \$1 |
| [ListRepositoriesForApprovalRuleTemplate](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListRepositoriesForApprovalRuleTemplate.html) | `codecommit:ListRepositoriesForApprovalRuleTemplate` Required to list all repositories that are associated with a specified approval rule template in an Amazon Web Services account. | \$1 |
| [UpdateApprovalRuleTemplateContent](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateApprovalRuleTemplateContent.html) | `codecommit:UpdateApprovalRuleTemplateContent` Required to update the content of an approval rule template in an Amazon Web Services account. | \$1 |
| [UpdateApprovalRuleTemplateDescription](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateApprovalRuleTemplateDescription.html) | `codecommit:UpdateApprovalRuleTemplateDescription` Required to update the description of an approval rule template in an Amazon Web Services account. | \$1 |
| [UpdateApprovalRuleTemplateName](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateApprovalRuleTemplateName.html) | `codecommit:UpdateApprovalRuleTemplateName` Required to update the name of an approval rule template in an Amazon Web Services account. | \$1 |
## Permissions for actions on individual files
The following permissions allow or deny actions on individual files in CodeCommit repositories. These permissions pertain only to actions performed in the CodeCommit console, the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For example, the `git push` command pushes new and changed files to a CodeCommit repository by using the Git protocol. It's not affected by any permissions for the CodeCommit `PutFile` operation.
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Individual Files**
| CodeCommit API Operations for Individual Files | Required Permissions | Resources |
| --- | --- | --- |
| [DeleteFile](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DeleteFile.html) | `codecommit:DeleteFile` Required to delete a specified file from a specified branch in a CodeCommit repository from the CodeCommit console. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetBlob](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetBlob.html) | `codecommit:GetBlob` Required to view the encoded content of an individual file in a CodeCommit repository from the CodeCommit console. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetFile](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetFile.html) | `codecommit:GetFile` Required to view the encoded content of an individual file and its metadata a CodeCommit repository from the CodeCommit console. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetFolder](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetFolder.html) | `codecommit:GetFolder` Required to view the contents of a specified folder in a CodeCommit repository from the CodeCommit console. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [PutFile](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PutFile.html) | `codecommit:PutFile` Required to add a new or modified file to a CodeCommit repository from the CodeCommit console, CodeCommit API, or the AWS CLI. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on comments
The following permissions allow or deny actions on comments in CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and to commands performed using the AWS CLI. For related permissions on comments in pull requests, see [Permissions for actions on pull requests](#aa-pr).
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Comments in Repositories**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [DeleteCommentContent](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DeleteCommentContent.html) | `codecommit:DeleteCommentContent` Required to delete the content of a comment made on a change, file, or commit in a repository. Comments cannot be deleted, but the content of a comment can be removed if the user has this permission. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetComment](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetComment.html) | `codecommit:GetComment` Required to return information about a comment made on a change, file, or commit in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetCommentReactions](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetCommentReactions.html) | `codecommit:GetCommentReactions` Required to return information about emoji reactions to a comment made on a change, file, or commit in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetCommentsForComparedCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetCommentsForComparedCommit.html) | `codecommit:GetCommentsForComparedCommit` Required to return information about comments made on the comparison between two commits in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [PostCommentForComparedCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PostCommentForComparedCommit.html) | `codecommit:PostCommentForComparedCommit` Required to create a comment on the comparison between two commits in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [PostCommentReply](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PostCommentReply.html) | `codecommit:PostCommentReply` Required to create a reply to a comment on a comparison between commits or on a pull request. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [PutCommentReaction](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PutCommentReaction.html) | `codecommit:PutCommentReaction` Required to create or update an emoji reaction to a comment. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdateComment](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateComment.html) | `codecommit:UpdateComment` Required to edit a comment on a comparison between commits or on a pull request. Comments can only be edited by the comment author. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on committed code
The following permissions allow or deny actions on code committed to CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol. For example, the **git commit** command creates a commit for a branch in a repository using the Git protocol. It's not affected by any permissions for the CodeCommit `CreateCommit` operation.
Explicitly denying some of these permissions might result in unexpected consequences in the CodeCommit console. For example, setting `GetTree` to `Deny` prevents users from navigating the contents of a repository in the console, but does not block users from viewing the contents of a file in the repository (if they are sent a link to the file in email, for example). Setting `GetBlob` to `Deny` prevents users from viewing the contents of files, but does not block users from browsing the structure of a repository. Setting `GetCommit` to `Deny` prevents users from retrieving details about commits. Setting `GetObjectIdentifier` to `Deny` blocks most of the functionality of code browsing. If you set all three of these actions to `Deny` in a policy, a user with that policy cannot browse code in the CodeCommit console.
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Committed Code**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| BatchGetCommits | `codecommit:BatchGetCommits` Required to return information about one or more commits in a CodeCommit repository. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [CreateCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/CreateCommit.html) | `codecommit:CreateCommit` Required to create a commit. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/GetCommit.html) | `codecommit:GetCommit` Required to return information about a commit. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GetCommitHistory | `codecommit:GetCommitHistory` Required to return information about the history of commits in a repository. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetDifferences](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetDifferences.html) | `codecommit:GetDifferences` Required to return information about the differences between commit specifiers (such as a branch, tag, HEAD, commit ID, or other fully qualified reference). | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GetObjectIdentifier | codecommit:GetObjectIdentifierRequired to resolve blobs, trees, and commits to their identifier. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GetReferences | codecommit:GetReferencesRequired to return all references, such as branches and tags. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GetTree | codecommit:GetTreeRequired to view the contents of a specified tree in a CodeCommit repository from the CodeCommit console. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on repositories
The following permissions allow or deny actions on CodeCommit repositories. These permissions pertain to actions performed with the CodeCommit console and the CodeCommit API, and to commands performed using the AWS CLI. They do not pertain to similar actions that can be performed using the Git protocol.
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Repositories**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [BatchGetRepositories](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_BatchGetRepositories.html) | `codecommit:BatchGetRepositories` Required to get information about multiple CodeCommit repositories in an Amazon Web Services account. In `Resource`, you must specify the names of all of the CodeCommit repositories for which a user is allowed (or denied) information. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [CreateRepository](https://docs.aws.amazon.com/codecommit/latest/APIReference/CreateRepository.html) | `codecommit:CreateRepository` Required to create a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [DeleteRepository](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_DeleteRepository.html) | `codecommit:DeleteRepository` Required to delete a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetRepository](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetRepository.html) | `codecommit:GetRepository` Required to get information about a single CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [ListRepositories](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListRepositories.html) | codecommit:ListRepositoriesRequired to get a list of the names and system IDs of multiple CodeCommit repositories for an Amazon Web Services account. The only allowed value for `Resource` for this action is all repositories (`*`). | \$1 |
| [UpdateRepositoryDescription](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateRepositoryDescription.html) | codecommit:UpdateRepositoryDescriptionRequired to change the description of a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UpdateRepositoryName](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UpdateRepositoryName.html) | codecommit:UpdateRepositoryNameRequired to change the name of a CodeCommit repository. In `Resource`, you must specify both the CodeCommit repositories that are allowed to be changed and the new repository names. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on tags
The following permissions allow or deny actions on AWS tags for CodeCommit resources.
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Tags**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [ListTagsForResource](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_ListTagsForResource.html) | `codecommit:ListTagsForResource` Required to return information about AWS tags configured on a resource in CodeCommit. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [TagResource](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_TagResource.html) | `codecommit:TagResource` Required to add or edit AWS tags for a resource in CodeCommit. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [UntagResource](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_UntagResource.html) | `codecommit:UntagResource` Required to remove AWS tags from a resource in CodeCommit. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on triggers
The following permissions allow or deny actions on triggers for CodeCommit repositories.
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on Triggers**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [GetRepositoryTriggers](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetRepositoryTriggers.html) | `codecommit:GetRepositoryTriggers` Required to return information about triggers configured for a repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [PutRepositoryTriggers](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PutRepositoryTriggers.html) | `codecommit:PutRepositoryTriggers` Required to create, edit, or delete triggers for a repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [TestRepositoryTriggers](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_TestRepositoryTriggers.html) | `codecommit:TestRepositoryTriggers` Required to test the functionality of a repository trigger by sending data to the topic or function configured for the trigger. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
## Permissions for actions on CodePipeline integration
In order for CodePipeline to use a CodeCommit repository in a source action for a pipeline, you must grant all of the permissions listed in the following table to the service role for CodePipeline. If these permissions are not set in the service role or are set to **Deny**, the pipeline does not run automatically when a change is made to the repository, and changes cannot be released manually.
Use the scroll bars to see the rest of the table.
**CodeCommit API Operations and Required Permissions for Actions on CodePipeline Integration**
| CodeCommit API Operations | Required Permissions (API Actions) | Resources |
| --- | --- | --- |
| [GetBranch](https://docs.aws.amazon.com/codecommit/latest/APIReference/API_GetBranch.html) | `codecommit:GetBranch` Required to get details about a branch in a CodeCommit repository. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| [GetCommit](https://docs.aws.amazon.com/codecommit/latest/APIReference/GetCommit.html) | `codecommit:GetCommit` Required to return information about a commit to the service role for CodePipeline. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| UploadArchive | `codecommit:UploadArchive` Required to allow the service role for CodePipeline to upload repository changes into a pipeline. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| GetUploadArchiveStatus | `codecommit:GetUploadArchiveStatus` Required to determine the status of an archive upload: whether it is in progress, complete, cancelled, or if an error occurred. This is an IAM policy permission only, not an API action that you can call. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
| CancelUploadArchive | codecommit:CancelUploadArchiveRequired to cancel the uploading of an archive to a pipeline. This is an IAM policy permission only, not an API action that can be called. | arn:aws:codecommit:*region*:*account-id*:*repository-name* |
# How AWS CodeCommit works with IAM
Before you use IAM to manage access to CodeCommit, you should understand what IAM features are available to use with CodeCommit. To get a high-level view of how CodeCommit and other AWS services work with IAM, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**Topics**
+ [
## Condition keys
](#security_iam_service-with-iam-id-based-policies-conditionkeys)
+ [
## Examples
](#security_iam_service-with-iam-id-based-policies-examples)
## Condition keys
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
CodeCommit defines its own set of condition keys and also supports using some global condition keys. To see all AWS global condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
Some CodeCommit actions support the `codecommit:References` condition key. For an example policy that uses this key, see [Example 4: Deny or allow actions on branches](customer-managed-policies.md#identity-based-policies-example-4).
To see a list of CodeCommit condition keys, see [Condition Keys for AWS CodeCommit](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscodecommit.html#awscodecommit-policy-keys) in the *IAM User Guide*. To learn with which actions and resources you can use a condition key, see [Actions Defined by AWS CodeCommit](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscodecommit.html#awscodecommit-actions-as-permissions).
## Examples
To view examples of CodeCommit identity-based policies, see [AWS CodeCommit identity-based policy examples](security-iam.md#security_iam_id-based-policy-examples).
## CodeCommit resource-based policies
CodeCommit does not support resource-based policies.
## Authorization based on CodeCommit tags
You can attach tags to CodeCommit resources or pass tags in a request to CodeCommit. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `codecommit:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. For more information about tagging CodeCommit resources, see [Example 5: Deny or allow actions on repositories with tags](customer-managed-policies.md#identity-based-policies-example-5). For more information about tagging strategies, see [Tagging AWS Resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html).
CodeCommit also supports policies based on session tags. For more information, see [Session Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html).
### Using tags to provide identity information in CodeCommit
CodeCommit supports the use of session tags, which are key-value pair attributes that you pass when you assume an IAM role, use temporary credentials, or federate a user in AWS Security Token Service (AWS STS). You can also associate tags with an IAM user. You can use the information provided in these tags to make it easier to identify who made a change or caused an event. CodeCommit includes the values for tags with the following key names in CodeCommit events:
****
| Key name | Value |
| --- | --- |
| displayName | The human-readable name to display and associate with the user (for example, Mary Major or Saanvi Sarkar). |
| emailAddress | The email address you want displayed for and associated with the user (for example, mary\$1major@example.com or saanvi\$1sarkar@example.com). |
If this information is provided, CodeCommit includes it in events sent to Amazon EventBridge and Amazon CloudWatch Events. For more information, see [Monitoring CodeCommit events in Amazon EventBridge and Amazon CloudWatch Events](monitoring-events.md).
To use session tagging, roles must have policies that include the `sts:TagSession` permission set to `Allow`. If you are using federated access, you can configure display name and email tag information as part of your setup. For example, if you're using Azure Active Directory, you might provide the following claim information:
****
| Claim name | Value |
| --- | --- |
| https://aws.amazon.com/SAML/Attributes/PrincipalTag:displayName | user.displayname |
| https://aws.amazon.com/SAML/Attributes/PrincipalTag:emailAddress | user.mail |
You can use the AWS CLI to pass session tags for `displayName` and `emailAddress` using **AssumeRole**. For example, a user who wants to assume a role named *Developer* who wants to associate her name *Mary Major* might use the **assume-role** command similar to the following:
```
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/Developer \
--role-session-name Mary-Major \
–-tags Key=displayName,Value="Mary Major" Key=emailAddress,Value="mary_major@example.com" \
--external-id Example987
```
For more information, see [AssumeRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role).
You can use the `AssumeRoleWithSAML` operation to return a set of temporary credentials that include `displayName` and `emailAddress` tags. You can use these tags when you access CodeCommit repositories. This requires that your company or group has already integrated your third-party SAML solution with AWS. If so, you can pass SAML attributes as session tags. For example, if you wanted to pass identity attributes for a display name and email address for a user named *Saanvi Sarkar* as session tags:
```
Saanvi Sarkar
saanvi_sarkar@example.com
```
For more information, see [Passing Session Tags using AssumeRoleWithSAML](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-saml).
You can use the `AssumeRoleWithIdentity` operation to return a set of temporary credentials that include `displayName` and `emailAddress` tags. You can use these tags when you access CodeCommit repositories. To pass session tags from OpenID Connect (OIDC), you must include the session tags in the JSON Web Token (JWT). For example, the decoded JWP token used to call `AssumeRoleWithWebIdentity` that includes the `displayName` and `emailAddress` session tags for a user named *Li Juan*:
```
{
"sub": "lijuan",
"aud": "ac_oic_client",
"jti": "ZYUCeREXAMPLE",
"iss": "https://xyz.com",
"iat": 1566583294,
"exp": 1566583354,
"auth_time": 1566583292,
"https://aws.amazon.com/tags": {
"principal_tags": {
"displayName": ["Li Juan"],
"emailAddress": ["li_juan@example.com"],
},
"transitive_tag_keys": [
"displayName",
"emailAddress"
]
}
}
```
For more information, see [Passing Session Tags using AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp).
You can use the `GetFederationToken` operation to return a set of temporary credentials that include `displayName` and `emailAddress` tags. You can use these tags when you access CodeCommit repositories. For example, to use the AWS CLI to get a federation token that includes the `displayName` and `emailAddress` tags:
```
aws sts get-federation-token \
--name my-federated-user \
–-tags key=displayName,value="Nikhil Jayashankar" key=emailAddress,value=nikhil_jayashankar@example.com
```
For more information, see [Passing Session Tags using GetFederationToken](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-getfederationtoken).
## CodeCommit IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your Amazon Web Services account that has specific permissions.
### Using temporary credentials with CodeCommit
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
CodeCommit supports using temporary credentials. For more information, see [Connecting to AWS CodeCommit repositories with rotating credentials](temporary-access.md).
### Service-linked roles
[Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
CodeCommit does not use service-linked roles.
### Service roles
This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service.
CodeCommit does not use service roles.
## AWS CodeCommit identity-based policy examples
By default, IAM users and roles don't have permission to create or modify CodeCommit resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.
For examples of policies, see the following:
+ [Example 1: Allow a user to perform CodeCommit operations in a single AWS Region](customer-managed-policies.md#identity-based-policies-example-1)
+ [Example 2: Allow a user to use Git for a single repository](customer-managed-policies.md#identity-based-policies-example-2)
+ [Example 3: Allow a user connecting from a specified IP address range access to a repository](customer-managed-policies.md#identity-based-policies-example-3)
+ [Example 4: Deny or allow actions on branches](customer-managed-policies.md#identity-based-policies-example-4)
+ [Example 5: Deny or allow actions on repositories with tags](customer-managed-policies.md#identity-based-policies-example-5)
+ [Configure cross-account access to an AWS CodeCommit repository using roles](cross-account.md)
To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating Policies on the JSON Tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Topics**
+ [
### Policy best practices
](#security_iam_service-with-iam-policy-best-practices)
+ [
### Using the CodeCommit console
](#security_iam_id-based-policy-examples-console)
+ [
### Allow users to view their own permissions
](#security_iam_id-based-policy-examples-view-own-permissions)
+ [
### Viewing CodeCommit *repositories* based on tags
](#security_iam_id-based-policy-examples-view-repositories-tags)
### Policy best practices
Identity-based policies determine whether someone can create, access, or delete CodeCommit resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
### Using the CodeCommit console
To access the AWS CodeCommit console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the CodeCommit resources in your Amazon Web Services account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy.
To ensure that those entities can still use the CodeCommit console, also attach the following AWS managed policy to the entities. For more information, see [Adding Permissions to a User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*:
For more information, see [Using identity-based policies (IAM Policies) for CodeCommit](auth-and-access-control-iam-identity-based-access-control.md).
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
### Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
### Viewing CodeCommit *repositories* based on tags
You can use conditions in your identity-based policy to control access to CodeCommit resources based on tags. For an example policy that demonstrates how to do this, see [Example 5: Deny or allow actions on repositories with tags](customer-managed-policies.md#identity-based-policies-example-5).
For more information, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
## Troubleshooting AWS CodeCommit identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with CodeCommit and IAM.
**Topics**
+ [
### I Am not authorized to perform an action in CodeCommit
](#security_iam_troubleshoot-no-permissions)
+ [
### I Am not authorized to perform iam:PassRole
](#security_iam_troubleshoot-passrole)
+ [
### I want to view my access keys
](#security_iam_troubleshoot-access-keys)
+ [
### I'm an administrator and want to allow others to access CodeCommit
](#security_iam_troubleshoot-admin-delegate)
+ [
### I want to allow people outside of my Amazon Web Services account to access my CodeCommit resources
](#security_iam_troubleshoot-cross-account-access)
### I Am not authorized to perform an action in CodeCommit
If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials.
For more information, see [Permissions required to use the CodeCommit console](auth-and-access-control-iam-identity-based-access-control.md#console-permissions)
### I Am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to CodeCommit.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in CodeCommit. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
### I want to view my access keys
After you create your IAM user access keys, you can view your access key ID at any time. However, you can't view your secret access key again. If you lose your secret key, you must create a new access key pair.
Access keys consist of two parts: an access key ID (for example, `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
**Important**
Do not provide your access keys to a third party, even to help [find your canonical user ID](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html#FindCanonicalId). By doing this, you might give someone permanent access to your AWS account.
When you create an access key pair, you are prompted to save the access key ID and secret access key in a secure location. The secret access key is available only at the time you create it. If you lose your secret access key, you must add new access keys to your IAM user. You can have a maximum of two access keys. If you already have two, you must delete one key pair before creating a new one. To view instructions, see [Managing access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) in the *IAM User Guide*.
### I'm an administrator and want to allow others to access CodeCommit
To allow others to access CodeCommit, you must grant permission to the people or applications that need access. If you are using AWS IAM Identity Center to manage people and applications, you assign permission sets to users or groups to define their level of access. Permission sets automatically create and assign IAM policies to IAM roles that are associated with the person or application. For more information, see [Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*.
If you are not using IAM Identity Center, you must create IAM entities (users or roles) for the people or applications that need access. You must then attach a policy to the entity that grants them the correct permissions in CodeCommit. After the permissions are granted, provide the credentials to the user or application developer. They will use those credentials to access AWS. To learn more about creating IAM users, groups, policies, and permissions, see [IAM Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) and [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
### I want to allow people outside of my Amazon Web Services account to access my CodeCommit resources
For more information, see [Configure cross-account access to an AWS CodeCommit repository using roles](cross-account.md).