# Identity and access management for AWS CodeStar Notifications and AWS CodeConnections
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS CodeStar Notifications and AWS CodeConnections resources. IAM is an AWS service that you can use with no additional charge.
**Note**
Actions for resources that are created under the new service prefix `codeconnections` are available. Creating a resource under the new service prefix will use `codeconnections` in the resource ARN. Actions and resources for the `codestar-connections` service prefix remain available. When specifying a resource in the IAM policy, the service prefix needs to match that of the resource.
**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How features in the developer tools console work with IAM](security_iam_service-with-iam.md)
+ [AWS CodeConnections permissions reference](#permissions-reference-connections)
+ [Identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [Using tags to control access to AWS CodeConnections resources](connections-tag-based-access-control.md)
+ [Using notifications and connections in the console](#security_iam_id-based-policy-examples-console)
+ [Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Troubleshooting AWS CodeStar Notifications and AWS CodeConnections identity and access](security_iam_troubleshoot.md)
+ [Using service-linked roles for AWS CodeStar Notifications](using-service-linked-roles.md)
+ [Using service-linked roles for AWS CodeConnections](service-linked-role-connections.md)
+ [AWS managed policies for AWS CodeConnections](security-iam-awsmanpol.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS CodeStar Notifications and AWS CodeConnections identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How features in the developer tools console work with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
# How features in the developer tools console work with IAM
Before you use IAM to manage access to features in the Developer Tools console, you should understand which IAM features are available to use with it. To get a high-level view of how notifications and other AWS services work with IAM, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**Topics**
+ [Identity-based policies in the developer tools console](#security_iam_service-with-iam-id-based-policies)
+ [AWS CodeStar Notifications and AWS CodeConnections resource-based policies](#security_iam_service-with-iam-resource-based-policies)
+ [Authorization based on tags](#security_iam_service-with-iam-tags)
+ [IAM roles](#security_iam_service-with-iam-roles)
## Identity-based policies in the developer tools console
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. AWS CodeStar Notifications and AWS CodeConnections support specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
Policy actions for notifications in the Developer Tools console use the following prefixes before the action: `codestar-notifications and codeconnections`. For example, to grant someone permission to view all notification rules in their account, you include the `codestar-notifications:ListNotificationRules` action in their policy. Policy statements must include either an `Action` or `NotAction` element. AWS CodeStar Notifications and AWS CodeConnections defines its own set of actions that describe tasks that you can perform with this service.
To specify multiple AWS CodeStar Notifications actions in a single statement, separate them with commas as follows.
```
"Action": [
"codestar-notifications:action1",
"codestar-notifications:action2"
```
To specify multiple AWS CodeConnections actions in a single statement, separate them with commas as follows.
```
"Action": [
"codeconnections:action1",
"codeconnections:action2"
```
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `List`, include the following action.
```
"Action": "codestar-notifications:List*"
```
AWS CodeStar Notifications API actions include:
+ `CreateNotificationRule`
+ `DeleteNotificationRule`
+ `DeleteTarget`
+ `DescribeNotificationRule`
+ `ListEventTypes`
+ `ListNotificationRules`
+ `ListTagsForResource`
+ `ListTargets`
+ `Subscribe`
+ `TagResource`
+ `Unsubscribe`
+ `UntagResource`
+ `UpdateNotificationRule`
AWS CodeConnections API actions include the following:
+ `CreateConnection`
+ `DeleteConnection`
+ `GetConnection`
+ `ListConnections`
+ `ListTagsForResource`
+ `TagResource`
+ `UntagResource`
The following permissions-only actions are required in AWS CodeConnections to complete the auth handshake:
+ `GetIndividualAccessToken`
+ `GetInstallationUrl`
+ `ListInstallationTargets`
+ `StartOAuthHandshake`
+ `UpdateConnectionInstallation`
The following permissions-only action is required in AWS CodeConnections to use a connection:
+ `UseConnection`
The following permissions-only action is required in AWS CodeConnections to pass a connection to a service:
+ `PassConnection`
To see a list of AWS CodeStar Notifications and AWS CodeConnections actions, see [Actions Defined by AWS CodeStar Notifications](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_codestarnotifications.html#codestarnotifications-actions-as-permissions) and [Actions Defined by AWS CodeConnections](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_codestarconnections.html#codestarconnections-actions-as-permissions) in the *IAM User Guide*.
### Resources
AWS CodeStar Notifications and AWS CodeConnections do not support specifying resource ARNs in a policy.
### Condition keys
AWS CodeStar Notifications and AWS CodeConnections define their own sets of condition keys and also support using some global condition keys. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
All AWS CodeStar Notifications actions support the `codestar-notifications:NotificationsForResource` condition key. For more information, see [Identity-based policy examples](security_iam_id-based-policy-examples.md).
AWS CodeConnections define the following condition keys that can be used in the `Condition` element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For more information, see [AWS CodeConnections permissions reference](security-iam.md#permissions-reference-connections).
| Condition keys | Description |
| --- | --- |
| `codeconnections:BranchName` | Filters access by the third-party repository branch name |
| `codeconnections:FullRepositoryId` | Filters access by the repository that is passed in the request. Applies only to UseConnection requests for access to a specific repository |
| codeconnections:InstallationId | Filters access by the third-party ID (such as the Bitbucket app installation ID) that is used to update a connection. Allows you to restrict which third-party app installations can be used to make a connection |
| codeconnections:OwnerId | Filters access by the owner or account ID of the third-party provider |
| `codeconnections:PassedToService` | Filters access by the service to which the principal is allowed to pass a connection |
| `codeconnections:ProviderAction` | Filters access by the provider action in a UseConnection request such as ListRepositories. |
| codeconnections:ProviderPermissionsRequired | Filters access by the type of third-party provider permissions |
| `codeconnections:ProviderType` | Filters access by the type of third-party provider passed in the request |
| codeconnections:ProviderTypeFilter | Filters access by the type of third-party provider used to filter results |
| codeconnections:RepositoryName | Filters access by the third-party repository name |
### Examples
To view examples of AWS CodeStar Notifications and AWS CodeConnections identity-based policies, see [Identity-based policy examples](security_iam_id-based-policy-examples.md).
## AWS CodeStar Notifications and AWS CodeConnections resource-based policies
AWS CodeStar Notifications and AWS CodeConnections do not support resource-based policies.
## Authorization based on tags
You can attach tags to AWS CodeStar Notifications and AWS CodeConnections resources or pass tags in a request. To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `codestar-notifications and codeconnections:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. For more information about tagging strategies, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html). For more information about tagging AWS CodeStar Notifications and AWS CodeConnections resources, see [Tag connections resources](connections-tag.md).
To view example identity-based policies for limiting access to a resource based on the tags on that resource, see [Using tags to control access to AWS CodeConnections resources](connections-tag-based-access-control.md).
## IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions.
### Using temporary credentials
You can use temporary credentials to sign in with federation, and assume an IAM role or a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
AWS CodeStar Notifications and AWS CodeConnections supports the use of temporary credentials.
### Service-linked roles
[Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
AWS CodeStar Notifications supports service-linked roles. For details about creating or managing AWS CodeStar Notifications and AWS CodeConnections service-linked roles, see [Using service-linked roles for AWS CodeStar Notifications](using-service-linked-roles.md).
CodeConnections does not support service-linked roles.
## AWS CodeConnections permissions reference
The following tables list each AWS CodeConnections API operation, the corresponding actions for which you can grant permissions, and the format of the resource ARN to use for granting permissions. The AWS CodeConnections APIs are grouped into tables based on the scope of the actions allowed by that API. Refer to it when writing permissions policies that you can attach to an IAM identity (identity-based policies).
When you create a permissions policy, you specify the actions in the policy's `Action` field. You specify the resource value in the policy's `Resource` field as an ARN, with or without a wildcard character (\$1).
To express conditions in your connections policies, use the condition keys described here and listed in [Condition keys](security_iam_service-with-iam.md#security_iam_service-with-iam-id-based-policies-conditionkeys). You can also use AWS-wide condition keys. For a complete list of AWS-wide keys, see [Available keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
To specify an action, use the `codeconnections` prefix followed by the API operation name (for example, `codeconnections:ListConnections` or `codeconnections:CreateConnection`.
**Using wildcards **
To specify multiple actions or resources, use a wildcard character (\$1) in your ARN. For example, `codeconnections:*` specifies all AWS CodeConnections actions and `codeconnections:Get*` specifies all AWS CodeConnections actions that begin with the word `Get`. The following example grants access to all resources with names that begin with `MyConnection`.
```
arn:aws:codeconnections:us-west-2:account-ID:connection/*
```
You can use wildcards only with the *connection* resources listed in the following table. You can't use wildcards with *region* or *account-id* resources. For more information about wildcards, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in *IAM User Guide*.
**Topics**
+ [Permissions for managing connections](#permissions-reference-connections-managing)
+ [Permissions for managing hosts](#permissions-reference-connections-hosts)
+ [Permissions for completing connections](#permissions-reference-connections-handshake)
+ [Permissions for setting up hosts](#connections-permissions-actions-host-registration)
+ [Passing a connection to a service](#permissions-reference-connections-passconnection)
+ [Using a connection](#permissions-reference-connections-use)
+ [Supported access types for `ProviderAction`](#permissions-reference-connections-access)
+ [Supported permissions for tagging connection resources](#permissions-reference-connections-tagging)
+ [Passing a connection to a repository link](#permissions-reference-connections-passrepository)
+ [Supported condition key for repository links](#permissions-reference-connections-branch)
+ [Supported permissions for connection sharing](#permissions-reference-connections-sharing)
### Permissions for managing connections
A role or user designated to use the AWS CLI or SDK to view, create, or delete connections should have permissions limited to the following.
**Note**
You cannot complete or use a connection in the console with only the following permissions. You need to add the permissions in [Permissions for completing connections](#permissions-reference-connections-handshake).
```
codeconnections:CreateConnection
codeconnections:DeleteConnection
codeconnections:GetConnection
codeconnections:ListConnections
```
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required permissions for managing connections**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| CreateConnection | `codeconnections:CreateConnection` Required to use the CLI or console to create a connection. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| DeleteConnection | `codeconnections:DeleteConnection` Required to use the CLI or console to delete a connection. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| GetConnection | `codeconnections:GetConnection` Required to use the CLI or console to view details about a connection. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| ListConnections | `codeconnections:ListConnections` Required to use the CLI or console to list all connections in the account. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
These operations support the following condition keys:
| Action | Condition keys |
| --- | --- |
| `codeconnections:CreateConnection` | `codeconnections:ProviderType` |
| codeconnections:DeleteConnection | N/A |
| codeconnections:GetConnection | N/A |
| codeconnections:ListConnections | codeconnections:ProviderTypeFilter |
### Permissions for managing hosts
A role or user designated to use the AWS CLI or SDK to view, create, or delete hosts should have permissions limited to the following.
**Note**
You cannot complete or use a connection in the host with only the following permissions. You need to add the permissions in [Permissions for setting up hosts](#connections-permissions-actions-host-registration).
```
codeconnections:CreateHost
codeconnections:DeleteHost
codeconnections:GetHost
codeconnections:ListHosts
```
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required permissions for managing hosts**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| CreateHost | `codeconnections:CreateHost` Required to use the CLI or console to create a host. | arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
| DeleteHost | `codeconnections:DeleteHost` Required to use the CLI or console to delete a host. | codeconnections:*region*:*account-id*:host/*host-id* |
| GetHost | `codeconnections:GetHost` Required to use the CLI or console to view details about a host. | arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
| ListHosts | `codeconnections:ListHosts` Required to use the CLI or console to list all hosts in the account. | arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
These operations support the following condition keys:
| Action | Condition keys |
| --- | --- |
| `codeconnections:CreateHost` | `codeconnections:ProviderType` `codeconnections:VpcId` |
| codeconnections:DeleteHost | N/A |
| codeconnections:GetHost | N/A |
| codeconnections:ListHosts | codeconnections:ProviderTypeFilter |
For an example policy that uses the **VpcId** condition key, see [Example: Limit host VPC permissions using the **VpcId** context key](security_iam_id-based-policy-examples-connections.md#security_iam_id-based-policy-examples-connections-vpc).
### Permissions for completing connections
A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. Use the following permissions in addition to the permissions above.
The following IAM operations are used by the console when performing a browser-based handshake. The `ListInstallationTargets`, `GetInstallationUrl`, `StartOAuthHandshake`, `UpdateConnectionInstallation`, and `GetIndividualAccessToken` are IAM policy permissions. They are not API actions.
```
codeconnections:GetIndividualAccessToken
codeconnections:GetInstallationUrl
codeconnections:ListInstallationTargets
codeconnections:StartOAuthHandshake
codeconnections:UpdateConnectionInstallation
```
Based on this, the following permissions are needed to use, create, update, or delete a connection in the console.
```
codeconnections:CreateConnection
codeconnections:DeleteConnection
codeconnections:GetConnection
codeconnections:ListConnections
codeconnections:UseConnection
codeconnections:ListInstallationTargets
codeconnections:GetInstallationUrl
codeconnections:StartOAuthHandshake
codeconnections:UpdateConnectionInstallation
codeconnections:GetIndividualAccessToken
```
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required permissions for completing connections**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| `GetIndividualAccessToken` | `codeconnections:GetIndividualAccessToken` Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `GetInstallationUrl` | `codeconnections:GetInstallationUrl` Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListInstallationTargets` | `codeconnections:ListInstallationTargets` Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `StartOAuthHandshake` | `codeconnections:StartOAuthHandshake` Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `UpdateConnectionInstallation` | `codeconnections:UpdateConnectionInstallation` Required to use the console to complete a connection. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
These operations support the following condition keys.
| Action | Condition keys |
| --- | --- |
| codeconnections:GetIndividualAccessToken | codeconnections:ProviderType |
| codeconnections:GetInstallationUrl | codeconnections:ProviderType |
| `codeconnections:ListInstallationTargets` | N/A |
| codeconnections:StartOAuthHandshake | codeconnections:ProviderType |
| codeconnections:UpdateConnectionInstallation | codeconnections:InstallationId |
### Permissions for setting up hosts
A role or user designated to manage connections in the console should have the permissions required to set up a host in the console, which includes authorizing the handshake to the provider and installing the host app. Use the following permissions in addition to the permissions for hosts above.
The following IAM operations are used by the console when performing a browser-based host registration. `RegisterAppCode` and `StartAppRegistrationHandshake` are IAM policy permissions. They are not API actions.
```
codeconnections:RegisterAppCode
codeconnections:StartAppRegistrationHandshake
```
Based on this, the following permissions are needed to use, create, update, or delete a connection in the console that requires a host (such as installed provider types).
```
codeconnections:CreateConnection
codeconnections:DeleteConnection
codeconnections:GetConnection
codeconnections:ListConnections
codeconnections:UseConnection
codeconnections:ListInstallationTargets
codeconnections:GetInstallationUrl
codeconnections:StartOAuthHandshake
codeconnections:UpdateConnectionInstallation
codeconnections:GetIndividualAccessToken
codeconnections:RegisterAppCode
codeconnections:StartAppRegistrationHandshake
```
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required permissions for completing host setup**
| Connections actions | Required permissions | Resources |
| --- | --- | --- |
| `RegisterAppCode` | `codeconnections:RegisterAppCode` Required to use the console to complete host setup. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
| `StartAppRegistrationHandshake` | `codeconnections:StartAppRegistrationHandshake` Required to use the console to complete host setup. This is an IAM policy permission only, not an API action. | arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
These operations support the following condition keys.
### Passing a connection to a service
When a connection is passed to a service (for example, when a connection ARN is provided in a pipeline definition to create or update a pipeline) the user must have the `codeconnections:PassConnection` permission.
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required permissions for passing a connection**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| `PassConnection` | `codeconnections:PassConnection` Required to pass a connection to a service. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
This operation also supports the following condition key:
+ `codeconnections:PassedToService`
**Supported values for condition keys**
| Key | Valid action providers |
| --- | --- |
| `codeconnections:PassedToService` | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html) |
### Using a connection
When a service like CodePipeline uses a connection, the service role must have the `codeconnections:UseConnection` permission for a given connection.
To manage connections in the console, the user policy must have the `codeconnections:UseConnection` permission.
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required action for using connections**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| `UseConnection` | `codeconnections:UseConnection` Required to use a connection. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
This operation also supports the following condition keys:
+ `codeconnections:BranchName`
+ `codeconnections:FullRepositoryId`
+ `codeconnections:OwnerId`
+ `codeconnections:ProviderAction`
+ `codeconnections:ProviderPermissionsRequired`
+ `codeconnections:RepositoryName`
**Supported values for condition keys**
| Key | Valid action providers |
| --- | --- |
| `codeconnections:FullRepositoryId` | The user name and repository name of a repository, such as `my-owner/my-repository`. Supported only when the connection is being used to access a specific repository. |
| `codeconnections:ProviderPermissionsRequired` | read\$1only or read\$1write |
| `codeconnections:ProviderAction` | `GetBranch`, `ListRepositories`, `ListOwners`, `ListBranches`, `StartUploadArchiveToS3`, `GitPush`, `GitPull`, `GetUploadArchiveToS3Status`, `CreatePullRequestDiffComment`, `GetPullRequest`, `ListBranchCommits`, `ListCommitFiles`, `ListPullRequestComments`, `ListPullRequestCommits`. For information, see the next section. |
The required condition keys for some functionality might change over time. We recommend that you use `codeconnections:UseConnection` to control access to a connection unless your access control requirements require different permissions.
### Supported access types for `ProviderAction`
When a connection is used by an AWS service, it results in API calls being made to your source code provider. For example, a service might list repositories for a Bitbucket connection by calling the `https://api.bitbucket.org/2.0/repositories/username` API.
The `ProviderAction` condition key allows you to restrict which APIs on a provider can be called. Because the API path might be generated dynamically, and the path varies from provider to provider, the `ProviderAction` value is mapped to an abstract action name rather than the URL of the API. This allows you to write policies that have the same effect regardless of the provider type for the connection.
The following are the access types that are granted for each of the supported `ProviderAction` values. The following are IAM policy permissions. They are not API actions.
Use the scroll bars to see the rest of the table.
**AWS CodeConnections supported access types for `ProviderAction`**
| AWS CodeConnections permission | Required permissions | Resources |
| --- | --- | --- |
| `GetBranch` | ` codeconnections:GetBranch` Required to access information about a branch, such as the latest commit for that branch. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListRepositories` | ` codeconnections:ListRepositories` Required to access a list of public and private repositories, including details about those repositories, that belong to an owner. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListOwners` | `codeconnections:ListOwners` Required to access a list of owners that the connection has access to. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListBranches` | ` codeconnections:ListBranches` Required to access the list of branches that exist on a given repository. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `StartUploadArchiveToS3` | ` codeconnections:StartUploadArchiveToS3` Required to read source code and upload it to Amazon S3. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `GitPush` | ` codeconnections:GitPush` Required to write to a repository using Git. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `GitPull` | ` codeconnections:GitPull` Required to read from a repository using Git. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| GetUploadArchiveToS3Status | ` codeconnections:GetUploadArchiveToS3Status` Required to access the status of an upload, including any error messages, started by `StartUploadArchiveToS3`. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| CreatePullRequestDiffComment | ` codeconnections:CreatePullRequestDiffComment` Required to access comments on a pull request. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| GetPullRequest | ` codeconnections:GetPullRequest` Required to view pull requests for a repository. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListBranchCommits` | ` codeconnections:ListBranchCommits` Required to view a list of commits for a repository branch. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListCommitFiles` | ` codeconnections:ListCommitFiles` Required to view a list of files for a commit. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListPullRequestComments` | ` codeconnections:ListPullRequestComments` Required to view a list of comments for a pull request. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
| `ListPullRequestCommits` | ` codeconnections:ListPullRequestCommits` Required to view a list of commits for a pull request. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
### Supported permissions for tagging connection resources
The following IAM operations are used when tagging connection resources.
```
codeconnections:ListTagsForResource
codeconnections:TagResource
codeconnections:UntagResource
```
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required actions for tagging connection resources**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| `ListTagsForResource` | `codeconnections:ListTagsForResource` Required to view a list of tags associated with the connection resource. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id*,arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
| `TagResource` | `codeconnections:TagResource` Required to tag a connection resource. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id*,arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
| `UntagResource` | `codeconnections:UntagResource` Required to remove tags from a connection resource. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id*,arn:aws:codeconnections:*region*:*account-id*:host/*host-id* |
### Passing a connection to a repository link
When a repository-link is provided in a sync configuration, the user must have the `codeconnections:PassRepository` permission for the repository-link ARN/resource.
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required permissions for passing a connection**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| `PassRepository` | `codeconnections:PassRepository` Required to pass a repository-link to a sync configuration. | arn:aws:codeconnections:*region*:*account-id*:repository-link/*repository-link-id* |
This operation also supports the following condition key:
+ `codeconnections:PassedToService`
**Supported values for condition keys**
| Key | Valid action providers |
| --- | --- |
| `codeconnections:PassedToService` | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html) |
### Supported condition key for repository links
Operations for repository links and sync configuration resources are supported by the following condition key:
+ `codeconnections:Branch`
Filters access by the branch name that is passed in the request.
**Supported actions for condition key**
| Key | Valid values |
| --- | --- |
| `codeconnections:Branch` | The following actions are supported for this condition key:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html) |
### Supported permissions for connection sharing
The following IAM operations are used when sharing connections.
```
codeconnections:GetResourcePolicy
```
Use the scroll bars to see the rest of the table.
**AWS CodeConnections required actions for sharing connections**
| AWS CodeConnections actions | Required permissions | Resources |
| --- | --- | --- |
| `GetResourcePolicy` | `codeconnections:GetResourcePolicy` Required to access information about the resource policy. | arn:aws:codeconnections:*region*:*account-id*:connection/*connection-id* |
For more information on connection sharing, see [Share connections with AWS accounts](connections-share.md).
# Identity-based policy examples
By default, IAM users and roles who have one of the managed policies for AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, or AWS CodePipeline applied have permissions to connections, notifications, and notification rules that align with the intent of those policies. For example, IAM users or roles that have one of the full access policies (**AWSCodeCommitFullAccess**, **AWSCodeBuildAdminAccess**, **AWSCodeDeployFullAccess**, or **AWSCodePipeline\$1FullAccess**) applied to them also have full access to notifications and notification rules created for the resources for those services.
Other IAM users and roles don't have permission to create or modify AWS CodeStar Notifications and AWS CodeConnections resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.
# Permissions and examples for AWS CodeStar Notifications
The following policy statements and examples can help you manage AWS CodeStar Notifications.
## Permissions related to notifications in full access managed policies
The **AWSCodeCommitFullAccess**, **AWSCodeBuildAdminAccess**, **AWSCodeDeployFullAccess**, and **AWSCodePipeline\$1FullAccess** managed policies include the following statements to allow full access to notifications in the Developer Tools console. Users with one of these managed policies applied can also create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users to topics, and list topics to choose as targets for notification rules.
**Note**
In the managed policy, the condition key `codestar-notifications:NotificationsForResource` will have a value specific to the resource type for the service. For example, in the full access policy for CodeCommit, the value is `arn:aws:codecommit:*`.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
## Permissions related to notifications in read-only managed policies
The **AWSCodeCommitReadOnlyAccess**, **AWSCodeBuildReadOnlyAccess**, **AWSCodeDeployReadOnlyAccess**, and **AWSCodePipeline\$1ReadOnlyAccess** managed policies include the following statements to allow read-only access to notifications. For example, they can view notifications for resources in the Developer Tools console, but cannot create, manage, or subscribe to them.
**Note**
In the managed policy, the condition key `codestar-notifications:NotificationsForResource` will have a value specific to the resource type for the service. For example, in the full access policy for CodeCommit, the value is `arn:aws:codecommit:*`.
```
{
"Sid": "CodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource": "*"
}
```
## Permissions related to notifications in other managed policies
The **AWSCodeCommitPowerUser**, **AWSCodeBuildDeveloperAccess**, and **AWSCodeBuildDeveloperAccess** managed policies include the following statements to allow developers with one of these managed policies applied to create, edit, and subscribe to notifications. They cannot delete notification rules or manage tags for resources.
**Note**
In the managed policy, the condition key `codestar-notifications:NotificationsForResource` will have a value specific to the resource type for the service. For example, in the full access policy for CodeCommit, the value is `arn:aws:codecommit:*`.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws::*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
## Example: An administrator-level policy for managing AWS CodeStar Notifications
In this example, you want to grant an IAM user in your AWS account full access to AWS CodeStar Notifications so that the user can review details of notification rules and list notification rules, targets, and event types. You also want to allow the user to add, update, and delete notification rules. This is a full access policy, equivalent to the notification permissions included as part of the **AWSCodeBuildAdminAccess**, **AWSCodeCommitFullAccess**, **AWSCodeDeployFullAccess**, and **AWSCodePipeline\$1FullAccess** managed policies. Like those managed policies, you should only attach this kind of policy statement to IAM users, groups, or roles that require full administrative access to notifications and notification rules across your AWS account.
**Note**
This policy contains allows `CreateNotificationRule`. Any user with this policy applied to their IAM user or role will be able to create notification rules for any and all resource types supported by AWS CodeStar Notifications in the AWS account, even if that user does not have access to those resources themselves. For example, a user with this policy could create a notification rule for a CodeCommit repository without having permissions to access CodeCommit itself.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSCodeStarNotificationsFullAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:ListNotificationRules",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe",
"codestar-notifications:DeleteTarget",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:TagResource",
"codestar-notifications:UntagResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A contributor-level policy for using AWS CodeStar Notifications
In this example, you want to grant access to the day-to-day usage of AWS CodeStar Notifications, such as creating and subscribing to notifications, but not to more destructive actions, such as deleting notification rules or targets. This is the equivalent to the access provided in the **AWSCodeBuildDeveloperAccess**, **AWSCodeDeployDeveloperAccess**, and **AWSCodeCommitPowerUser** managed policies.
**Note**
This policy contains allows `CreateNotificationRule`. Any user with this policy applied to their IAM user or role will be able to create notification rules for any and all resource types supported by AWS CodeStar Notifications in the AWS account, even if that user does not have access to those resources themselves. For example, a user with this policy could create a notification rule for a CodeCommit repository without having permissions to access CodeCommit itself.
```
{
"Version": "2012-10-17",
"Sid": "AWSCodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:ListNotificationRules",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource"
],
"Resource": "*"
}
]
}
```
## Example: A read-only-level policy for using AWS CodeStar Notifications
In this example, you want to grant an IAM user in your account read-only access to the notification rules, targets, and event types in your AWS account. This example shows how you might create a policy that allows viewing these items. This is the equivalent to the permissions included as part of the **AWSCodeBuildReadOnlyAccess**, **AWSCodeCommitReadOnly**, and **AWSCodePipeline\$1ReadOnlyAccess** managed policies.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "CodeNotificationforReadOnly",
"Statement": [
{
"Sid": "ReadsAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
}
]
}
```
------
# Permissions and examples for AWS CodeConnections
The following policy statements and examples can help you manage AWS CodeConnections.
For information about how to create an IAM identity-based policy using these example JSON policy documents, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
## Example: A policy for creating AWS CodeConnections with the CLI and viewing with the console
A role or user designated to use the AWS CLI or SDK to view, create, tag, or delete connections should have permissions limited to the following.
**Note**
You cannot complete a connection in the console with only the following permissions. You need to add the permissions in the next section.
To use the console to view a list of available connections, view tags, and use a connection, use the following policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConnectionsFullAccess",
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:DeleteConnection",
"codeconnections:UseConnection",
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:TagResource",
"codeconnections:ListTagsForResource",
"codeconnections:UntagResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A policy for creating AWS CodeConnections with the console
A role or user designated to manage connections in the console should have the permissions required to complete a connection in the console and create an installation, which includes authorizing the handshake to the provider and creating installations for connections to use. `UseConnection` should also be added to use the connection in the console. Use the following policy to view, use, create, tag, or delete a connection in the console.
**Note**
Beginning July 1, 2024, the console creates connections with `codeconnections` in the resource ARN. Resources with both service prefixes will continue to display in the console.
**Note**
For resources created using the console, policy statement actions must include `codestar-connections` as the service prefix as shown in the following example.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codestar-connections:CreateConnection",
"codestar-connections:DeleteConnection",
"codestar-connections:GetConnection",
"codestar-connections:ListConnections",
"codestar-connections:GetInstallationUrl",
"codestar-connections:GetIndividualAccessToken",
"codestar-connections:ListInstallationTargets",
"codestar-connections:StartOAuthHandshake",
"codestar-connections:UpdateConnectionInstallation",
"codestar-connections:UseConnection",
"codestar-connections:TagResource",
"codestar-connections:ListTagsForResource",
"codestar-connections:UntagResource"
],
"Resource": [
"*"
]
}
]
}
```
------
## Example: An administrator-level policy for managing AWS CodeConnections
In this example, you want to grant an IAM user in your AWS account full access to CodeConnections so that the user can add, update, and delete connections. This is a full access policy, equivalent to the **AWSCodePipeline\$1FullAccess** managed policy. Like that managed policy, you should only attach this kind of policy statement to IAM users, groups, or roles that require full administrative access to connections across your AWS account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConnectionsFullAccess",
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:DeleteConnection",
"codeconnections:UseConnection",
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:ListInstallationTargets",
"codeconnections:GetInstallationUrl",
"codeconnections:StartOAuthHandshake",
"codeconnections:UpdateConnectionInstallation",
"codeconnections:GetIndividualAccessToken",
"codeconnections:TagResource",
"codeconnections:ListTagsForResource",
"codeconnections:UntagResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A contributor-level policy for using AWS CodeConnections
In this example, you want to grant access to the day-to-day usage of CodeConnections, such as creating and viewing details of connections, but not to more destructive actions, such as deleting connections.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSCodeConnectionsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:UseConnection",
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:ListInstallationTargets",
"codeconnections:GetInstallationUrl",
"codeconnections:GetIndividualAccessToken",
"codeconnections:StartOAuthHandshake",
"codeconnections:UpdateConnectionInstallation",
"codeconnections:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## Example: A read-only-level policy for using AWS CodeConnections
In this example, you want to grant an IAM user in your account read-only access to the connections in your AWS account. This example shows how you might create a policy that allows viewing these items.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "ConnectionsforReadOnly",
"Statement": [
{
"Sid": "ReadsAPIAccess",
"Effect": "Allow",
"Action": [
"codeconnections:GetConnection",
"codeconnections:ListConnections",
"codeconnections:ListInstallationTargets",
"codeconnections:GetInstallationUrl",
"codeconnections:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## Example: Limit host VPC permissions using the **VpcId** context key
In the following example, the customer can use the **VpcId** context key to limit creation or management of hosts to hosts with specified VPC.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codeconnections:CreateHost",
"codeconnections:UpdateHost"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"codeconnections:VpcId": "vpc-EXAMPLE"
}
}
}
]
}
```
------
# Using tags to control access to AWS CodeConnections resources
Tags can be attached to the resource or passed in the request to services that support tagging. In AWS CodeConnections, resources can have tags, and some actions can include tags. When you create an IAM policy, you can use tag condition keys to control the following:
+ Which users can perform actions on a pipeline resource, based on tags that it already has.
+ Which tags can be passed in an action's request.
+ Whether specific tag keys can be used in a request.
The following examples demonstrate how to specify tag conditions in policies for AWS CodeConnections users.
**Example 1: Allow actions based on tags in the request**
The following policy grants users permission to create connections in AWS CodeConnections.
To do that, it allows the `CreateConnection` and `TagResource` actions if the request specifies a tag named `Project` with the value `ProjectA`. (The `aws:RequestTag` condition key is used to control which tags can be passed in an IAM request.) The `aws:TagKeys` condition ensures tag key case sensitivity.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Project": "ProjectA"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": ["Project"]
}
}
}
]
}
```
**Example 2: Allow actions based on resource tags**
The following policy grants users permission to perform actions on, and get information about, resources in AWS CodeConnections.
To do that, it allows specific actions if the pipeline has a tag named `Project` with the value `ProjectA`. (The `aws:RequestTag` condition key is used to control which tags can be passed in an IAM request.) The `aws:TagKeys` condition ensures tag key case sensitivity.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codeconnections:CreateConnection",
"codeconnections:DeleteConnection",
"codeconnections:ListConnections"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "ProjectA"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": ["Project"]
}
}
}
]
}
```
## Using notifications and connections in the console
The notifications experience is built into the CodeBuild, CodeCommit, CodeDeploy, and CodePipeline consoles, as well as in the Developer Tools console in the **Settings** navigation bar itself. To access notifications in the consoles, you must either have one of the managed policies for those services applied, or you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS CodeStar Notifications and AWS CodeConnections resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy. For more information about granting access to AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, and AWS CodePipeline, including access to those consoles, see the following topics:
+ CodeBuild: [Using identity-based policies for CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/security_iam_id-based-policy-examples.html#managed-policies)
+ CodeCommit: [Using identity-based policies for CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html)
+ AWS CodeDeploy: [Identity and access management for AWS CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/security-iam.html)
+ CodePipeline: [Access control with IAM policies](https://docs.aws.amazon.com/codepipeline/latest/userguide/access-control.html)
AWS CodeStar Notifications does not have any AWS managed policies. To provide access to notification functionality, you must either apply one of the managed policies for one of the services listed previously, or you must create policies with the level of permission you want to grant to users or entities, and then attach those policies to the users, groups, or roles that require those permissions. For more information and examples, see the following:
+ [Example: An administrator-level policy for managing AWS CodeStar Notifications](security_iam_id-based-policy-examples-notifications.md#security_iam_id-based-policy-examples-notifications-full-access)
+ [Example: A contributor-level policy for using AWS CodeStar Notifications](security_iam_id-based-policy-examples-notifications.md#security_iam_id-based-policy-examples-notifications-contributor)
+ [Example: A read-only-level policy for using AWS CodeStar Notifications](security_iam_id-based-policy-examples-notifications.md#security_iam_id-based-policy-examples-notifications-read-only).
AWS CodeConnections does not have any AWS managed policies. You use the permissions and combinations of permissions for access, such as the permissions detailed in [Permissions for completing connections](#permissions-reference-connections-handshake).
For more information, see the following:
+ [Example: An administrator-level policy for managing AWS CodeConnections](security_iam_id-based-policy-examples-connections.md#security_iam_id-based-policy-examples-connections-fullaccess)
+ [Example: A contributor-level policy for using AWS CodeConnections](security_iam_id-based-policy-examples-connections.md#security_iam_id-based-policy-examples-connections-contributor)
+ [Example: A read-only-level policy for using AWS CodeConnections](security_iam_id-based-policy-examples-connections.md#security_iam_id-based-policy-examples-connections-readonly)
You don't need to allow console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.
## Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
# Troubleshooting AWS CodeStar Notifications and AWS CodeConnections identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with notifications and IAM.
**Topics**
+ [I'm an administrator and want to allow others to access notifications](#security_iam_troubleshoot-admin-delegate)
+ [I created an Amazon SNS topic and added it as a notification rule target, but I am not receiving emails about events](#security_iam_troubleshoot-sns)
+ [I want to allow people outside of my AWS account to access my AWS CodeStar Notifications and AWS CodeConnections resources](#security_iam_troubleshoot-cross-account-access)
## I'm an administrator and want to allow others to access notifications
To allow others to access AWS CodeStar Notifications and AWS CodeConnections, you must grant permission to the people or applications that need access. If you are using AWS IAM Identity Center to manage people and applications, you assign permission sets to users or groups to define their level of access. Permission sets automatically create and assign IAM policies to IAM roles that are associated with the person or application. For more information, see [Permission sets](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html) in the *AWS IAM Identity Center User Guide*.
If you are not using IAM Identity Center, you must create IAM entities (users or roles) for the people or applications that need access. You must then attach a policy to the entity that grants them the correct permissions in AWS CodeStar Notifications and AWS CodeConnections. After the permissions are granted, provide the credentials to the user or application developer. They will use those credentials to access AWS. To learn more about creating IAM users, groups, policies, and permissions, see [IAM Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) and [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
For AWS CodeStar Notifications specific information, see [Permissions and examples for AWS CodeStar Notifications](security_iam_id-based-policy-examples-notifications.md).
## I created an Amazon SNS topic and added it as a notification rule target, but I am not receiving emails about events
In order to receive notifications about events, you must have a valid Amazon SNS topic subscribed as a target for the notification rule, and your email address must be subscribed to the Amazon SNS topic. To troubleshoot problems with the Amazon SNS topic, check the following:
+ Make sure that the Amazon SNS topic is in the same AWS Region as the notification rule.
+ Check to make sure that your email alias is subscribed to the correct topic, and that you have confirmed the subscription. For more information, see [Subscribing an endpoint to an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-subscribe-endpoint-to-topic.html).
+ Verify that the topic policy has been modified to allow AWS CodeStar Notifications to push notifications to that topic. The topic policy should include a statement similar to the following:
```
{
"Sid": "AWSCodeStarNotifications_publish",
"Effect": "Allow",
"Principal": {
"Service": [
"codestar-notifications.amazonaws.com"
]
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:123456789012:MyNotificationTopicName",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
```
For more information, see [Setting up](setting-up.md).
## I want to allow people outside of my AWS account to access my AWS CodeStar Notifications and AWS CodeConnections resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether AWS CodeStar Notifications and AWS CodeConnections supports these features, see [How features in the developer tools console work with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Using service-linked roles for AWS CodeStar Notifications
AWS CodeStar Notifications uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS CodeStar Notifications. Service-linked roles are predefined by AWS CodeStar Notifications and include all the permissions that the service requires to call other AWS services on your behalf. This role is created for you the first time you create a notification rule. You don't have to create the role.
A service-linked role makes setting up AWS CodeStar Notifications easier because you don’t have to add permissions manually. AWS CodeStar Notifications defines the permissions of its service-linked roles, and unless defined otherwise, only AWS CodeStar Notifications can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
To delete a service-linked role, you must first delete its related resources. This protects your AWS CodeStar Notifications resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html).
## Service-linked role permissions for AWS CodeStar Notifications
AWS CodeStar Notifications uses the AWSServiceRoleForCodeStarNotifications service-linked role to retrieve information about events that occur in your toolchain and send notifications to the targets you specify.
The AWSServiceRoleForCodeStarNotifications service-linked role trusts the following services to assume the role:
+ `codestar-notifications.amazonaws.com`
The role permissions policy allows AWS CodeStar Notifications to complete the following actions on the specified resources:
+ Action: `PutRule` on `CloudWatch Event rules that are named awscodestar-notifications-*`
+ Action: `DescribeRule` on `CloudWatch Event rules that are named awscodestar-notifications-*`
+ Action: `PutTargets` on `CloudWatch Event rules that are named awscodestar-notifications-*`
+ Action: `CreateTopic` to `create Amazon SNS topics for use with AWS CodeStar Notifications with the prefix CodeStarNotifications-`
+ Action: `GetCommentsForPullRequests` on `all comments on all pull requests in all CodeCommit repositories in the AWS account`
+ Action: `GetCommentsForComparedCommit` on `all comments on all commits in all CodeCommit repositories in the AWS account`
+ Action: `GetDifferences` on `all commits in all CodeCommit repositories in the AWS account`
+ Action: `GetCommentsForComparedCommit` on `all comments on all commits in all CodeCommit repositories in the AWS account`
+ Action: `GetDifferences` on `all commits in all CodeCommit repositories in the AWS account`
+ Action: `DescribeSlackChannelConfigurations` on `all AWS Chatbot clients in the AWS account`
+ Action: `UpdateSlackChannelConfiguration` on `all AWS Chatbot clients in the AWS account`
+ Action: `ListActionExecutions` on `all actions in all pipelines in the AWS account`
+ Action: `GetFile` on `all files in all CodeCommit repositories in the AWS account unless otherwise tagged`
You can see these actions in the policy statement for the AWSServiceRoleForCodeStarNotifications service-linked role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": "arn:aws:events:*:*:rule/awscodestarnotifications-*",
"Effect": "Allow"
},
{
"Action": [
"sns:CreateTopic"
],
"Resource": "arn:aws:sns:*:*:CodeStarNotifications-*",
"Effect": "Allow"
},
{
"Action": [
"codecommit:GetCommentsForPullRequest",
"codecommit:GetCommentsForComparedCommit",
"codecommit:GetDifferences",
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:UpdateSlackChannelConfiguration",
"codepipeline:ListActionExecutions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"codecommit:GetFile"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/ExcludeFileContentFromNotifications": "true"
}
},
"Effect": "Allow"
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for AWS CodeStar Notifications
You don't need to manually create a service-linked role. You can use the Developer Tools console or the CreateNotificationRule API from the AWS CLI or SDKs to create a notification rule. You can also directly call the API. No matter which method you use, the service-linked role is created for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. You can use the Developer Tools console or the CreateNotificationRule API from the AWS CLI or SDKs to create a notification rule. You can also directly call the API. No matter which method you use, the service-linked role is created for you.
## Editing a service-linked role for AWS CodeStar Notifications
After you create a service-linked role, you cannot change its name because various entities might reference the role. However, you can use IAM to edit the role description. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for AWS CodeStar Notifications
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don’t have an unused entity that is not actively monitored or maintained. You must clean up the resources for your service-linked role before you can delete it. For AWS CodeStar Notifications, this means deleting all notification rules that use the service role in your AWS account.
**Note**
If the AWS CodeStar Notifications service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AWS CodeStar Notifications resources used by AWSServiceRoleForCodeStarNotifications**
1. Open the AWS Developer Tools console at [https://console.aws.amazon.com/codesuite/settings/notifications](https://console.aws.amazon.com/codesuite/settings/notifications/).
**Note**
Notification rules apply to the AWS Region where they are created. If you have notification rules in more than one AWS Region, use the Region selector to change the AWS Region.
1. Choose all notification rules that appear in the list, and then choose **Delete**.
1. Repeat these steps in all AWS Regions where you created notification rules.
**To **use IAM** to delete the service-linked role **
Use the IAM console, AWS CLI, or AWS Identity and Access Management API to delete the AWSServiceRoleForCodeStarNotifications service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported regions for AWS CodeStar Notifications service-linked roles
AWS CodeStar Notifications supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) and [AWS CodeStar Notifications](https://docs.aws.amazon.com/general/latest/gr/codestar_notifications.html).
# Using service-linked roles for AWS CodeConnections
AWS CodeConnections uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS CodeConnections. Service-linked roles are predefined by AWS CodeConnections and include all the permissions that the service requires to call other AWS services on your behalf. This role is created for you the first time you create a connection. You don't have to create the role.
A service-linked role makes setting up AWS CodeConnections easier because you don’t have to add permissions manually. AWS CodeConnections defines the permissions of its service-linked roles, and unless defined otherwise, only AWS CodeConnections can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
To delete a service-linked role, you must first delete its related resources. This protects your AWS CodeConnections resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html).
**Note**
Actions for resources that are created under the new service prefix `codeconnections` are available. Creating a resource under the new service prefix will use `codeconnections` in the resource ARN. Actions and resources for the `codestar-connections` service prefix remain available. When specifying a resource in the IAM policy, the service prefix needs to match that of the resource.
## Service-linked role permissions for AWS CodeConnections
AWS CodeConnections uses the AWSServiceRoleForGitSync service-linked role to use Git sync with connected Git-based repositories.
The AWSServiceRoleForGitSync service-linked role trusts the following services to assume the role:
+ `repository.sync.codeconnections.amazonaws.com`
The role permissions policy named AWSGitSyncServiceRolePolicy allows AWS CodeConnections to complete the following actions on the specified resources:
+ Action: Grants permissions to allow users to create connections to external Git-based repositories and use Git sync with those repositories.
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for AWS CodeConnections
You don't need to manually create a service-linked role. You create the role when you create a resource for your Git-synced project with the CreateRepositoryLink API.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account.
## Editing a service-linked role for AWS CodeConnections
After you create a service-linked role, you cannot change its name because various entities might reference the role. However, you can use IAM to edit the role description. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for AWS CodeConnections
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don’t have an unused entity that is not actively monitored or maintained. You must clean up the resources for your service-linked role before you can delete it. This means deleting all connections that use the service role in your AWS account.
**Note**
If the AWS CodeConnections service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AWS CodeConnections resources used by AWSServiceRoleForGitSync**
1. Open the Developer Tools console, and then choose **Settings**.
1. Choose all connections that appear in the list, and then choose **Delete**.
1. Repeat these steps in all AWS Regions where you created connections.
**To **use IAM** to delete the service-linked role **
Use the IAM console, AWS CLI, or AWS Identity and Access Management API to delete the AWSServiceRoleForGitSync service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported regions for AWS CodeConnections service-linked roles
AWS CodeConnections supports using service-linked roles in all of the AWS Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
# AWS managed policies for AWS CodeConnections
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
**Note**
Actions for resources that are created under the new service prefix `codeconnections` are available. Creating a resource under the new service prefix will use `codeconnections` in the resource ARN. Actions and resources for the `codestar-connections` service prefix remain available. When specifying a resource in the IAM policy, the service prefix needs to match that of the resource.
## AWS managed policy: AWSGitSyncServiceRolePolicy
You can't attach AWSGitSyncServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows AWS CodeConnections to perform actions on your behalf. For more information, see [Using service-linked roles for AWS CodeConnections](service-linked-role-connections.md).
This policy allows customers to access Git-based repositories for use with connections. Customers will access these resources after using the CreateRepositoryLink API.
**Permissions details**
This policy includes the following permissions.
+ `codeconnections` – Grants permissions to allow users to create connections to external Git-based repositories.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AccessGitRepos",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection",
"codeconnections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*",
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
------
## AWS CodeConnections updates to AWS managed policies
View details about updates to AWS managed policies for AWS CodeConnections since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS CodeConnections [Document history](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSGitSyncServiceRolePolicy](#security-iam-awsmanpol-AWSGitSyncServiceRolePolicy) – Updated policy | AWS CodeStar Connections service name changed to AWS CodeConnections. Updated the policy for resources with ARNs that contain both service prefixes. | April 26, 2024 |
| [AWSGitSyncServiceRolePolicy](#security-iam-awsmanpol-AWSGitSyncServiceRolePolicy) – New policy | AWS CodeStar Connections added the policy. Grants permissions to allow connections users to use Git sync with connected Git-based repositories. | November 26, 2023 |
| AWS CodeConnections started tracking changes | AWS CodeConnections started tracking changes for its AWS managed policies. | November 26, 2023 |