Identity-based policies (IAM) examples
You can attach policies to IAM identities. For example, you can do the following:
-
Attach a permissions policy to a user or a group in your account – To grant a user permissions to view pipelines in the CodePipeline console, you can attach a permissions policy to a user or group that the user belongs to.
-
Attach a permissions policy to a role (grant cross-account permissions) – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions. For example, the administrator in Account A can create a role to grant cross-account permissions to another AWS account (for example, Account B) or an AWS service as follows:
-
Account A administrator creates an IAM role and attaches a permissions policy to the role that grants permissions on resources in Account A.
-
Account A administrator attaches a trust policy to the role identifying Account B as the principal who can assume the role.
-
Account B administrator can then delegate permissions to assume the role to any users in Account B. Doing this allows users in Account B to create or access resources in Account A. The principal in the trust policy can also be an AWS service principal if you want to grant an AWS service permissions to assume the role.
For more information about using IAM to delegate permissions, see Access Management in the IAM User Guide.
-
The following shows an example of a permissions policy that grants permissions to
disable and enable transitions between all stages in the pipeline named
MyFirstPipeline
in the us-west-2
region
:
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codepipeline:EnableStageTransition", "codepipeline:DisableStageTransition" ], "Resource" : [ "arn:aws:codepipeline:us-west-2:111222333444:MyFirstPipeline/*" ] } ] }
The following example shows a policy in the 111222333444 account that allows users
to view, but not change, the pipeline named MyFirstPipeline
in the
CodePipeline console. This policy is based on the AWSCodePipeline_ReadOnlyAccess
managed policy,
but because it is specific to the MyFirstPipeline
pipeline, it cannot
use the managed policy directly. If you do not want to restrict the policy to a
specific pipeline, consider using one of the managed policies created and maintained
by CodePipeline. For more information, see Working with Managed
Policies. You must attach this policy to an IAM role you create for
access, for example, a role named CrossAccountPipelineViewers
:
{ "Statement": [ { "Action": [ "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:GetPipelineExecution", "codepipeline:ListPipelineExecutions", "codepipeline:ListActionExecutions", "codepipeline:ListActionTypes", "codepipeline:ListPipelines", "codepipeline:ListTagsForResource", "iam:ListRoles", "s3:ListAllMyBuckets", "codecommit:ListRepositories", "codedeploy:ListApplications", "lambda:ListFunctions", "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Effect": "Allow", "Resource": "arn:aws:codepipeline:us-west-2:111222333444:MyFirstPipeline" }, { "Action": [ "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:GetPipelineExecution", "codepipeline:ListPipelineExecutions", "codepipeline:ListActionExecutions", "codepipeline:ListActionTypes", "codepipeline:ListPipelines", "codepipeline:ListTagsForResource", "iam:ListRoles", "s3:GetBucketPolicy", "s3:GetObject", "s3:ListBucket", "codecommit:ListBranches", "codedeploy:GetApplication", "codedeploy:GetDeploymentGroup", "codedeploy:ListDeploymentGroups", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeEnvironments", "lambda:GetFunctionConfiguration", "opsworks:DescribeApps", "opsworks:DescribeLayers", "opsworks:DescribeStacks" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "CodeStarNotificationsReadOnlyAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codepipeline:*" } } } ], "Version": "2012-10-17" }
After you create this policy, create the IAM role in the 111222333444 account
and attach the policy to that role. In the role's trust relationships, you must add
the AWS account that will assume this role. The following example shows a policy
that allows users from the 111111111111
AWS account to
assume roles defined in the 111222333444 account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
111111111111
:root" }, "Action": "sts:AssumeRole" } ] }
The following example shows a policy created in the
111111111111
AWS account that allows users to
assume the role named CrossAccountPipelineViewers
in the
111222333444 account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111222333444:role/
CrossAccountPipelineViewers
" } ] }
You can create IAM policies to restrict the calls and resources that users in your account have access to, and then attach those policies to your administrative user. For more information about how to create IAM roles and to explore example IAM policy statements for CodePipeline, see Customer managed policy examples.