Identity and access management for AWS CodeStar Notifications and AWS CodeConnections
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS CodeStar Notifications and AWS CodeConnections resources. IAM is an AWS service that you can use with no additional charge.
Note
Actions for resources that are created under the new service prefix
codeconnections are available. Creating a resource under the new
service prefix will use codeconnections in the resource ARN. Actions and
resources for the codestar-connections service prefix remain available.
When specifying a resource in the IAM policy, the service prefix needs to match that of
the resource.
Topics
- Audience
- Authenticating with identities
- Managing access using policies
- How features in the developer tools console work with IAM
- AWS CodeConnections permissions reference
- Identity-based policy examples
- Using tags to control access to AWS CodeConnections resources
- Using notifications and connections in the console
- Allow users to view their own permissions
- Troubleshooting AWS CodeStar Notifications and AWS CodeConnections identity and access
- Using service-linked roles for AWS CodeStar Notifications
- Using service-linked roles for AWS CodeConnections
- AWS managed policies for AWS CodeConnections
Audience
How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in AWS CodeStar Notifications and AWS CodeConnections.
Service user – If you use the AWS CodeStar Notifications and AWS CodeConnections service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more AWS CodeStar Notifications and AWS CodeConnections features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in AWS CodeStar Notifications and AWS CodeConnections, see Troubleshooting AWS CodeStar Notifications and AWS CodeConnections identity and access.
Service administrator – If you're in charge of AWS CodeStar Notifications and AWS CodeConnections resources at your company, you probably have full access to AWS CodeStar Notifications and AWS CodeConnections. It's your job to determine which AWS CodeStar Notifications and AWS CodeConnections features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with AWS CodeStar Notifications and AWS CodeConnections, see How features in the developer tools console work with IAM.
IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to AWS CodeStar Notifications and AWS CodeConnections. To view example AWS CodeStar Notifications and AWS CodeConnections identity-based policies that you can use in IAM, see Identity-based policy examples.
Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated (signed in to AWS) as the AWS account root user, as an IAM user, or by assuming an IAM role.
You can sign in to AWS as a federated identity by using credentials provided through an identity source. AWS IAM Identity Center (IAM Identity Center) users, your company's single sign-on authentication, and your Google or Facebook credentials are examples of federated identities. When you sign in as a federated identity, your administrator previously set up identity federation using IAM roles. When you access AWS by using federation, you are indirectly assuming a role.
Depending on the type of user you are, you can sign in to the AWS Management Console or the AWS access portal. For more information about signing in to AWS, see How to sign in to your AWS account in the AWS Sign-In User Guide.
If you access AWS programmatically, AWS provides a software development kit (SDK) and a command line interface (CLI) to cryptographically sign your requests by using your credentials. If you don't use AWS tools, you must sign requests yourself. For more information about using the recommended method to sign requests yourself, see AWS Signature Version 4 for API requests in the IAM User Guide.
Regardless of the authentication method that you use, you might be required to provide additional security information. For example, AWS recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see Multi-factor authentication in the AWS IAM Identity Center User Guide and AWS Multi-factor authentication in IAM in the IAM User Guide.
AWS account root user
When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide.
IAM users and groups
An IAM user is an identity within your AWS account that has specific permissions for a single person or application. Where possible, we recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys. However, if you have specific use cases that require long-term credentials with IAM users, we recommend that you rotate access keys. For more information, see Rotate access keys regularly for use cases that require long-term credentials in the IAM User Guide.
An IAM group is an identity that specifies a collection of IAM users. You can't sign in as a group. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named IAMAdmins and give that group permissions to administer IAM resources.
Users are different from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see Use cases for IAM users in the IAM User Guide.
IAM roles
An IAM role is an identity within your AWS account that has specific permissions. It is similar to an IAM user, but is not associated with a specific person. To temporarily assume an IAM role in the AWS Management Console, you can switch from a user to an IAM role (console). You can assume a role by calling an AWS CLI or AWS API operation or by using a custom URL. For more information about methods for using roles, see Methods to assume a role in the IAM User Guide.
IAM roles with temporary credentials are useful in the following situations:
-
Federated user access – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Creating a role for a third-party Identity Provider in the IAM User Guide. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see Permission sets in the AWS IAM Identity Center User Guide.
-
Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task.
-
Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see Cross account resource access in IAM in the IAM User Guide.
-
Cross-service access – Some AWS services use features in other AWS services. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3. A service might do this using the calling principal's permissions, using a service role, or using a service-linked role.
-
Forward access sessions (FAS) – When you use an IAM user or role to perform actions in AWS, you are considered a principal. When you use some services, you might perform an action that then initiates another action in a different service. FAS uses the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. FAS requests are only made when a service receives a request that requires interactions with other AWS services or resources to complete. In this case, you must have permissions to perform both actions. For policy details when making FAS requests, see Forward access sessions.
-
Service role – A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.
-
Service-linked role – A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
-
-
Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.
Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal (user, root user, or role session) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. For more information about the structure and contents of JSON policy documents, see Overview of JSON policies in the IAM User Guide.
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
By default, users and roles have no permissions. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles.
IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, suppose that you have a
policy that allows the iam:GetRole action. A user with that policy can get role information from the AWS Management Console, the AWS CLI, or the AWS
API.
Identity-based policies
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Define custom IAM permissions with customer managed policies in the IAM User Guide.
Identity-based policies can be further categorized as inline policies or managed policies. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies include AWS managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see Choose between managed policies and inline policies in the IAM User Guide.
AWS CodeConnections permissions reference
The following tables list each AWS CodeConnections API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The AWS CodeConnections APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when writing permissions policies that you can attach to an IAM identity (identity-based policies).
When you create a permissions policy, you specify the actions in the policy's
Action field. You specify the resource value in the policy's
Resource field as an ARN, with or without a wildcard character (*).
To express conditions in your connections policies, use the condition keys described here and listed in Condition keys. You can also use AWS-wide condition keys. For a complete list of AWS-wide keys, see Available keys in the IAM User Guide.
To specify an action, use the codeconnections prefix followed by the API
operation name (for example, codeconnections:ListConnections or
codeconnections:CreateConnection.
Using wildcards
To specify multiple actions or resources, use a wildcard character (*) in your ARN.
For example, codeconnections:* specifies all AWS CodeConnections actions
and codeconnections:Get* specifies all AWS CodeConnections actions that
begin with the word Get. The following example grants access to all
resources with names that begin with MyConnection.
arn:aws:codeconnections:us-west-2:account-ID:connection/*
You can use wildcards only with the connection resources
listed in the following table. You can't use wildcards with
region or account-id
resources. For more information about wildcards, see IAM identifiers in
IAM User Guide.
Topics
- Permissions for managing connections
- Permissions for managing hosts
- Permissions for completing connections
- Permissions for setting up hosts
- Passing a connection to a service
- Using a connection
- Supported access types for ProviderAction
- Supported permissions for tagging connection resources
- Passing a connection to a repository link
- Supported condition key for repository links
Permissions for managing connections
A role or user designated to use the AWS CLI or SDK to view, create, or delete connections should have permissions limited to the following.
Note
You cannot complete or use a connection in the console with only the following permissions. You need to add the permissions in Permissions for completing connections.
codeconnections:CreateConnection codeconnections:DeleteConnection codeconnections:GetConnection codeconnections:ListConnections
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
CreateConnection |
Required to use the CLI or console to create a connection. |
arn:aws:codeconnections: |
|
DeleteConnection |
Required to use the CLI or console to delete a connection. |
arn:aws:codeconnections: |
|
GetConnection |
Required to use the CLI or console to view details about a connection. |
arn:aws:codeconnections: |
|
ListConnections |
Required to use the CLI or console to list all connections in the account. |
arn:aws:codeconnections: |
These operations support the following condition keys:
| Action | Condition keys |
|---|---|
|
|
|
codeconnections:DeleteConnection |
N/A |
codeconnections:GetConnection |
N/A |
codeconnections:ListConnections |
codeconnections:ProviderTypeFilter |
Permissions for managing hosts
A role or user designated to use the AWS CLI or SDK to view, create, or delete hosts should have permissions limited to the following.
Note
You cannot complete or use a connection in the host with only the following permissions. You need to add the permissions in Permissions for setting up hosts.
codeconnections:CreateHost codeconnections:DeleteHost codeconnections:GetHost codeconnections:ListHosts
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
CreateHost |
Required to use the CLI or console to create a host. |
arn:aws:codeconnections: |
|
DeleteHost |
Required to use the CLI or console to delete a host. |
codeconnections: |
|
GetHost |
Required to use the CLI or console to view details about a host. |
arn:aws:codeconnections: |
|
ListHosts |
Required to use the CLI or console to list all hosts in the account. |
arn:aws:codeconnections: |
These operations support the following condition keys:
| Action | Condition keys |
|---|---|
|
|
|
codeconnections:DeleteHost |
N/A |
codeconnections:GetHost |
N/A |
codeconnections:ListHosts |
codeconnections:ProviderTypeFilter |
Permissions for completing connections
A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. Use the following permissions in addition to the permissions above.
The following IAM operations are used by the console when performing a
browser-based handshake. The ListInstallationTargets,
GetInstallationUrl, StartOAuthHandshake,
UpdateConnectionInstallation, and
GetIndividualAccessToken are IAM policy permissions. They are not
API actions.
codeconnections:GetIndividualAccessToken codeconnections:GetInstallationUrl codeconnections:ListInstallationTargets codeconnections:StartOAuthHandshake codeconnections:UpdateConnectionInstallation
Based on this, the following permissions are needed to use, create, update, or delete a connection in the console.
codeconnections:CreateConnection codeconnections:DeleteConnection codeconnections:GetConnection codeconnections:ListConnections codeconnections:UseConnection codeconnections:ListInstallationTargets codeconnections:GetInstallationUrl codeconnections:StartOAuthHandshake codeconnections:UpdateConnectionInstallation codeconnections:GetIndividualAccessToken
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
|
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
|
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
|
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
|
|
Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
These operations support the following condition keys.
| Action | Condition keys |
|---|---|
codeconnections:GetIndividualAccessToken |
codeconnections:ProviderType |
codeconnections:GetInstallationUrl |
codeconnections:ProviderType |
|
|
N/A |
codeconnections:StartOAuthHandshake |
codeconnections:ProviderType |
codeconnections:UpdateConnectionInstallation |
codeconnections:InstallationId |
Permissions for setting up hosts
A role or user designated to manage connections in the console should have the permissions required to set up a host in the console, which includes authorizing the handshake to the provider and installing the host app. Use the following permissions in addition to the permissions for hosts above.
The following IAM operations are used by the console when performing a
browser-based host registration. RegisterAppCode and
StartAppRegistrationHandshake are IAM policy permissions. They
are not API actions.
codeconnections:RegisterAppCode codeconnections:StartAppRegistrationHandshake
Based on this, the following permissions are needed to use, create, update, or delete a connection in the console that requires a host (such as installed provider types).
codeconnections:CreateConnection codeconnections:DeleteConnection codeconnections:GetConnection codeconnections:ListConnections codeconnections:UseConnection codeconnections:ListInstallationTargets codeconnections:GetInstallationUrl codeconnections:StartOAuthHandshake codeconnections:UpdateConnectionInstallation codeconnections:GetIndividualAccessToken codeconnections:RegisterAppCode codeconnections:StartAppRegistrationHandshake
Use the scroll bars to see the rest of the table.
| Connections actions | Required permissions | Resources |
|---|---|---|
|
|
Required to use the console to complete host setup. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
|
|
Required to use the console to complete host setup. This is an IAM policy permission only, not an API action. |
arn:aws:codeconnections: |
These operations support the following condition keys.
Passing a connection to a service
When a connection is passed to a service (for example, when a connection ARN is
provided in a pipeline definition to create or update a pipeline) the user must have
the codeconnections:PassConnection permission.
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
|
Required to pass a connection to a service. |
arn:aws:codeconnections: |
This operation also supports the following condition key:
-
codeconnections:PassedToService
| Key | Valid action providers |
|---|---|
|
|
|
Using a connection
When a service like CodePipeline uses a connection, the service role must have the
codeconnections:UseConnection permission for a given
connection.
To manage connections in the console, the user policy must have the
codeconnections:UseConnection permission.
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
|
Required to use a connection. |
arn:aws:codeconnections: |
This operation also supports the following condition keys:
-
codeconnections:BranchName -
codeconnections:FullRepositoryId -
codeconnections:OwnerId -
codeconnections:ProviderAction -
codeconnections:ProviderPermissionsRequired -
codeconnections:RepositoryName
| Key | Valid action providers |
|---|---|
|
|
The user name and repository name of a repository, such as
|
|
|
read_only or read_write |
|
|
For information, see the next section. |
The required condition keys for some functionality might change over time. We
recommend that you use codeconnections:UseConnection to control access to
a connection unless your access control requirements require different
permissions.
Supported access types
for ProviderAction
When a connection is used by an AWS service, it results in API calls being made
to your source code provider. For example, a service might list repositories for a
Bitbucket connection by calling the
https://api.bitbucket.org/2.0/repositories/
API.username
The ProviderAction condition key allows you to restrict which APIs on
a provider can be called. Because the API path might be generated dynamically, and
the path varies from provider to provider, the ProviderAction value is
mapped to an abstract action name rather than the URL of the API. This allows you to
write policies that have the same effect regardless of the provider type for the
connection.
The following are the access types that are granted for each of the supported
ProviderAction values. The following are IAM policy permissions.
They are not API actions.
Use the scroll bars to see the rest of the table.
| AWS CodeConnections permission | Required permissions | Resources |
|---|---|---|
|
|
Required to access information about a branch, such as the latest commit for that branch. |
arn:aws:codeconnections: |
|
|
Required to access a list of public and private repositories, including details about those repositories, that belong to an owner. |
arn:aws:codeconnections: |
|
|
Required to access a list of owners that the connection has access to. |
arn:aws:codeconnections: |
|
|
Required to access the list of branches that exist on a given repository. |
arn:aws:codeconnections: |
|
|
Required to read source code and upload it to Amazon S3. |
arn:aws:codeconnections: |
|
|
Required to write to a repository using Git. |
arn:aws:codeconnections: |
|
|
Required to read from a repository using Git. |
arn:aws:codeconnections: |
GetUploadArchiveToS3Status |
Required to access the status of an upload, including any
error messages, started by
|
arn:aws:codeconnections: |
CreatePullRequestDiffComment |
Required to access comments on a pull request. |
arn:aws:codeconnections: |
GetPullRequest |
Required to view pull requests for a repository. |
arn:aws:codeconnections: |
|
|
Required to view a list of commits for a repository branch. |
arn:aws:codeconnections: |
|
|
Required to view a list of files for a commit. |
arn:aws:codeconnections: |
|
|
Required to view a list of comments for a pull request. |
arn:aws:codeconnections: |
|
|
Required to view a list of commits for a pull request. |
arn:aws:codeconnections: |
Supported permissions for tagging connection resources
The following IAM operations are used when tagging connection resources.
codeconnections:ListTagsForResource codeconnections:TagResource codeconnections:UntagResource
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
|
Required to view a list of tags associated with the connection resource. |
arn:aws:codeconnections: arn:aws:codeconnections: |
|
|
Required to tag a connection resource. |
arn:aws:codeconnections: arn:aws:codeconnections: |
|
|
Required to remove tags from a connection resource. |
arn:aws:codeconnections: arn:aws:codeconnections: |
Passing a connection to a repository link
When a repository-link is provided in a sync configuration, the user must have the
codeconnections:PassRepository permission for the repository-link
ARN/resource.
Use the scroll bars to see the rest of the table.
| AWS CodeConnections actions | Required permissions | Resources |
|---|---|---|
|
|
Required to pass a repository-link to a sync configuration. |
arn:aws:codeconnections: |
This operation also supports the following condition key:
-
codeconnections:PassedToService
| Key | Valid action providers |
|---|---|
|
|
|
Supported condition key for repository links
Operations for repository links and sync configuration resources are supported by the following condition key:
-
codeconnections:BranchFilters access by the branch name that is passed in the request.
| Key | Valid values |
|---|---|
|
|
The following actions are supported for this condition key:
|
Using notifications and connections in the console
The notifications experience is built into the CodeBuild, CodeCommit, CodeDeploy, and CodePipeline consoles, as well as in the Developer Tools console in the Settings navigation bar itself. To access notifications in the consoles, you must either have one of the managed policies for those services applied, or you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS CodeStar Notifications and AWS CodeConnections resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy. For more information about granting access to AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, and AWS CodePipeline, including access to those consoles, see the following topics:
-
CodeBuild: Using identity-based policies for CodeBuild
-
CodeCommit: Using identity-based policies for CodeCommit
-
AWS CodeDeploy: Identity and access management for AWS CodeDeploy
-
CodePipeline: Access control with IAM policies
AWS CodeStar Notifications does not have any AWS managed policies. To provide access to notification functionality, you must either apply one of the managed policies for one of the services listed previously, or you must create policies with the level of permission you want to grant to users or entities, and then attach those policies to the users, groups, or roles that require those permissions. For more information and examples, see the following:
AWS CodeConnections does not have any AWS managed policies. You use the permissions and combinations of permissions for access, such as the permissions detailed in Permissions for completing connections.
For more information, see the following:
You don't need to allow console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }
