CodePipeline permissions reference

Use the following table as a reference when you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies). The table lists each CodePipeline API operation and the corresponding actions for which you can grant permissions to perform the action. For operations that support resource-level permissions, the table lists the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field.

Resource-level permissions are those that allow you to specify which resources users are allowed to perform actions on. AWS CodePipeline provides partial support for resource-level permissions. This means that for some AWS CodePipeline API calls, you can control when users are allowed to use those actions based on conditions that must be met, or which resources users are allowed to use. For example, you can grant users permission to list pipeline execution information, but only for a specific pipeline or pipelines.

Note

The Resources column lists the resource required for API calls that support resource-level permissions. For API calls that do not support resource-level permissions, you can grant users permission to use it, but you have to specify a wildcard (*) for the resource element of your policy statement.

CodePipeline API Operations and required permissions for actions
CodePipeline API operations	Required permissions (API actions)	Resources
AcknowledgeJob	`codepipeline:AcknowledgeJob` Required to view information about a specified job and whether that job has been received by the job worker. Used for custom actions only.	Supports only a wildcard (*) in the policy `Resource` element.
AcknowledgeThirdPartyJob	`codepipeline:AcknowledgeThirdPartyJob` Required to confirm a job worker has received the specified job. Used for partner actions only.	Supports only a wildcard (*) in the policy `Resource` element.
CreateCustomActionType	`codepipeline:CreateCustomActionType` Required to create a custom action that can be used in all pipelines associated with the AWS account. Used for custom actions only.	Action Type `arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version`
CreatePipeline	`codepipeline:CreatePipeline` Required to create a pipeline.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
DeleteCustomActionType	`codepipeline:DeleteCustomActionType` Required to mark a custom action as deleted. `PollForJobs` for the custom action fails after the action is marked for deletion. Used for custom actions only.	Action Type `arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version`
DeletePipeline	`codepipeline:DeletePipeline` Required to delete a pipeline.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
DeleteWebhook	`codepipeline:DeleteWebhook` Required to delete a webhook.	Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
DeregisterWebhookWithThirdParty	`codepipeline:DeregisterWebhookWithThirdParty` Before a webhook is deleted, required to remove the connection between the webhook that was created by CodePipeline and the external tool with events to be detected. Currently supported only for webhooks that target an action type of GitHub.	Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
DisableStageTransition	`codepipeline:DisableStageTransition` Required to prevent artifacts in a pipeline from transitioning to the next stage in the pipeline.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
EnableStageTransition	`codepipeline:EnableStageTransition` Required to enable artifacts in a pipeline to transition to a stage in a pipeline.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
GetJobDetails	`codepipeline:GetJobDetails` Required to retrieve information about a job. Used for custom actions only.	No resource required.
GetPipeline	`codepipeline:GetPipeline` Required to retrieve the structure, stages, actions, and metadata of a pipeline, including the pipeline ARN.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
GetPipelineExecution	`codepipeline:GetPipelineExecution` Required to retrieve information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
GetPipelineState	`codepipeline:GetPipelineState` Required to retrieve information about the state of a pipeline, including the stages and actions.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
GetThirdPartyJobDetails	`codepipeline:GetThirdPartyJobDetails` Required to request the details of a job for a third-party action. Used for partner actions only.	Supports only a wildcard (*) in the policy `Resource` element.
ListActionExecutions	`codepipeline:ListActionExecutions` Required to generate a summary of all executions for an action.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
ListActionTypes	`codepipeline:ListActionTypes` Required to generate a summary of all CodePipeline action types associated with your account.	Supports only a wildcard (*) in the policy `Resource` element.
ListPipelineExecutions	`codepipeline:ListPipelineExecutions` Required to generate a summary of the most recent executions for a pipeline.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
ListPipelines	`codepipeline:ListPipelines` Required to generate a summary of all of the pipelines associated with your account.	Pipeline ARN with wildcard (resource-level permissions at the pipeline name level are not supported) `arn:aws:codepipeline:region:account:*`
ListTagsForResource	`codepipeline:ListTagsForResource` Required to list tags for a specified resource. Resources are optional.	Action Type `arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version`
		Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
		Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
ListWebhooks	`codepipeline:ListWebhooks` Required to list all of the webhooks in the account for that Region.	Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
PollForJobs	`codepipeline:PollForJobs` Required to get a listing of all of the webhooks in this Region for this account.	Action Type `arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version`
PollForThirdPartyJobs	`codepipeline:PollForThirdPartyJobs` Required to determine whether there are any third-party jobs for a job worker to act on. Used for partner actions only.	Supports only a wildcard (*) in the policy `Resource` element.
PutActionRevision	`codepipeline:PutActionRevision` Required to report information to CodePipeline about new revisions to a source	Action `arn:aws:codepipeline:region:account:pipeline-name/stage-name/action-name`
PutApprovalResult	`codepipeline:PutApprovalResult` Required to report the response to a manual approval request to CodePipeline. Valid responses are `Approved` and `Rejected`.	Action `arn:aws:codepipeline:region:account:pipeline-name/stage-name/action-name` Note This API call supports resource-level permissions. However, you might encounter an error if you use the IAM console or Policy Generator to create policies with `"codepipeline:PutApprovalResult"` that specify a resource ARN. If you encounter an error, you can use the JSON tab in the IAM console or the CLI to create a policy.
PutJobFailureResult	`codepipeline:PutJobFailureResult` Required to report the failure of a job as returned to the pipeline by a job worker. Used for custom actions only.	Supports only a wildcard (*) in the policy `Resource` element.
PutJobSuccessResult	`codepipeline:PutJobSuccessResult` Required to report the success of a job as returned to the pipeline by a job worker. Used for custom actions only.	Supports only a wildcard (*) in the policy `Resource` element.
PutThirdPartyJobFailureResult	`codepipeline:PutThirdPartyJobFailureResult` Required to report the failure of a third-party job as returned to the pipeline by a job worker. Used for partner actions only.	Supports only a wildcard (*) in the policy `Resource` element.
PutThirdPartyJobSuccessResult	`codepipeline:PutThirdPartyJobSuccessResult` Required to report the success of a third-party job as returned to the pipeline by a job worker. Used for partner actions only.	Supports only a wildcard (*) in the policy `Resource` element.
PutWebhook	`codepipeline:PutWebhook` Required to create a webhook.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
PutWebhook	`codepipeline:PutWebhook` Required to create a webhook.	Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
RegisterWebhookWithThirdParty	`codepipeline:RegisterWebhookWithThirdParty` After a webhook is created, required to configure supported third parties to call the generated webhook URL.	Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
RetryStageExecution	`codepipeline:RetryStageExecution` Required to resume the pipeline execution by retrying the last failed actions in a stage.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name/stage-name`
StartPipelineExecution	`codepipeline:StartPipelineExecution` Required to start the specified pipeline (specifically, to start processing the latest commit to the source location specified as part of the pipeline).	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
StopPipelineExecution	`codepipeline:StopPipelineExecution` Required to stop the specified pipeline execution. You choose to either stop the pipeline execution by completing in-progress actions without starting subsequent actions, or by abandoning in-progress actions.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
TagResource	`codepipeline:TagResource` Required to tag the specified resource. Resources are optional.	Action Type `arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version`
		Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
		Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
UntagResource	`codepipeline:UntagResource` Required to untag the specified resource. Resources are optional.	Action Type `arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version`
		Pipeline `arn:aws:codepipeline:region:account:pipeline-name`
		Webhook `arn:aws:codepipeline:region:account:webhook:webhook-name`
UpdatePipeline	`codepipeline:UpdatePipeline` Required to update a specified pipeline with edits or changes to its structure.	Pipeline `arn:aws:codepipeline:region:account:pipeline-name`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting

Incident response