Actions, resources, and condition keys for AWS CodeCommit
AWS CodeCommit (service prefix: codecommit) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS CodeCommit
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AssociateApprovalRuleTemplateWithRepository | Grants permission to associate an approval rule template with a repository | Write | |||
| BatchAssociateApprovalRuleTemplateWithRepositories | Grants permission to associate an approval rule template with multiple repositories in a single operation | Write | |||
| BatchDescribeMergeConflicts | Grants permission to get information about multiple merge conflicts when attempting to merge two commits using either the three-way merge or the squash merge option | Read | |||
| BatchDisassociateApprovalRuleTemplateFromRepositories | Grants permission to remove the association between an approval rule template and multiple repositories in a single operation | Write | |||
| BatchGetCommits | Grants permission to return information about one or more commits in an AWS CodeCommit repository | Read | |||
| BatchGetPullRequests [permission only] | Grants permission to return information about one or more pull requests in an AWS CodeCommit repository | Read | |||
| BatchGetRepositories | Grants permission to get information about multiple repositories | Read | |||
| CancelUploadArchive [permission only] | Grants permission to cancel the uploading of an archive to a pipeline in AWS CodePipeline | Read | |||
| CreateApprovalRuleTemplate | Grants permission to create an approval rule template that will automatically create approval rules in pull requests that match the conditions defined in the template; does not grant permission to create approval rules for individual pull requests | Write | |||
| CreateBranch | Grants permission to create a branch in an AWS CodeCommit repository with this API; does not control Git create branch actions | Write | |||
| CreateCommit | Grants permission to add, copy, move or update single or multiple files in a branch in an AWS CodeCommit repository, and generate a commit for the changes in the specified branch | Write | |||
| CreatePullRequest | Grants permission to create a pull request in the specified repository | Write | |||
| CreatePullRequestApprovalRule | Grants permission to create an approval rule specific to an individual pull request; does not grant permission to create approval rule templates | Write | |||
| CreateRepository | Grants permission to create an AWS CodeCommit repository | Write | |||
| CreateUnreferencedMergeCommit | Grants permission to create an unreferenced commit that contains the result of merging two commits using either the three-way or the squash merge option; does not control Git merge actions | Write | |||
| DeleteApprovalRuleTemplate | Grants permission to delete an approval rule template | Write | |||
| DeleteBranch | Grants permission to delete a branch in an AWS CodeCommit repository with this API; does not control Git delete branch actions | Write | |||
| DeleteCommentContent | Grants permission to delete the content of a comment made on a change, file, or commit in a repository | Write | |||
| DeleteFile | Grants permission to delete a specified file from a specified branch | Write | |||
| DeletePullRequestApprovalRule | Grants permission to delete approval rule created for a pull request if the rule was not created by an approval rule template | Write | |||
| DeleteRepository | Grants permission to delete an AWS CodeCommit repository | Write | |||
| DescribeMergeConflicts | Grants permission to get information about specific merge conflicts when attempting to merge two commits using either the three-way or the squash merge option | Read | |||
| DescribePullRequestEvents | Grants permission to return information about one or more pull request events | Read | |||
| DisassociateApprovalRuleTemplateFromRepository | Grants permission to remove the association between an approval rule template and a repository | Write | |||
| EvaluatePullRequestApprovalRules | Grants permission to evaluate whether a pull request is mergable based on its current approval state and approval rule requirements | Read | |||
| GetApprovalRuleTemplate | Grants permission to return information about an approval rule template | Read | |||
| GetBlob | Grants permission to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console | Read | |||
| GetBranch | Grants permission to get details about a branch in an AWS CodeCommit repository with this API; does not control Git branch actions | Read | |||
| GetComment | Grants permission to get the content of a comment made on a change, file, or commit in a repository | Read | |||
| GetCommentReactions | Grants permission to get the reactions on a comment | Read | |||
| GetCommentsForComparedCommit | Grants permission to get information about comments made on the comparison between two commits | Read | |||
| GetCommentsForPullRequest | Grants permission to get comments made on a pull request | Read | |||
| GetCommit | Grants permission to return information about a commit, including commit message and committer information, with this API; does not control Git log actions | Read | |||
| GetCommitHistory [permission only] | Grants permission to get information about the history of commits in a repository | Read | |||
| GetCommitsFromMergeBase [permission only] | Grants permission to get information about the difference between commits in the context of a potential merge | Read | |||
| GetDifferences | Grants permission to view information about the differences between valid commit specifiers such as a branch, tag, HEAD, commit ID, or other fully qualified reference | Read | |||
| GetFile | Grants permission to return the base-64 encoded contents of a specified file and its metadata | Read | |||
| GetFolder | Grants permission to return the contents of a specified folder in a repository | Read | |||
| GetMergeCommit | Grants permission to get information about a merge commit created by one of the merge options for pull requests that creates merge commits. Not all merge options create merge commits. This permission does not control Git merge actions | Read | |||
| GetMergeConflicts | Grants permission to get information about merge conflicts between the before and after commit IDs for a pull request in a repository | Read | |||
| GetMergeOptions | Grants permission to get information about merge options for pull requests that can be used to merge two commits; does not control Git merge actions | Read | |||
| GetObjectIdentifier [permission only] | Grants permission to resolve blobs, trees, and commits to their identifier | Read | |||
| GetPullRequest | Grants permission to get information about a pull request in a specified repository | Read | |||
| GetPullRequestApprovalStates | Grants permission to retrieve the current approvals on an inputted pull request | Read | |||
| GetPullRequestOverrideState | Grants permission to retrieve the current override state of a given pull request | Read | |||
| GetReferences [permission only] | Grants permission to get details about references in an AWS CodeCommit repository; does not control Git reference actions | Read | |||
| GetRepository | Grants permission to get information about an AWS CodeCommit repository | Read | |||
| GetRepositoryTriggers | Grants permission to get information about triggers configured for a repository | Read | |||
| GetTree [permission only] | Grants permission to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console | Read | |||
| GetUploadArchiveStatus [permission only] | Grants permission to get status information about an archive upload to a pipeline in AWS CodePipeline | Read | |||
| GitPull [permission only] | Grants permission to pull information from an AWS CodeCommit repository to a local repo | Read | |||
| GitPush [permission only] | Grants permission to push information from a local repo to an AWS CodeCommit repository | Write | |||
| ListApprovalRuleTemplates | Grants permission to list all approval rule templates in an AWS Region for the AWS account | List | |||
| ListAssociatedApprovalRuleTemplatesForRepository | Grants permission to list approval rule templates that are associated with a repository | List | |||
| ListBranches | Grants permission to list branches for an AWS CodeCommit repository with this API; does not control Git branch actions | List | |||
| ListFileCommitHistory | Grants permission to list commits and changes to a specified file | List | |||
| ListPullRequests | Grants permission to list pull requests for a specified repository | List | |||
| ListRepositories | Grants permission to list information about AWS CodeCommit repositories in the current Region for your AWS account | List | |||
| ListRepositoriesForApprovalRuleTemplate | Grants permission to list repositories that are associated with an approval rule template | List | |||
| ListTagsForResource | Grants permission to list the resource attached to a CodeCommit resource ARN | List | |||
| MergeBranchesByFastForward | Grants permission to merge two commits into the specified destination branch using the fast-forward merge option | Write | |||
| MergeBranchesBySquash | Grants permission to merge two commits into the specified destination branch using the squash merge option | Write | |||
| MergeBranchesByThreeWay | Grants permission to merge two commits into the specified destination branch using the three-way merge option | Write | |||
| MergePullRequestByFastForward | Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the fast-forward merge option | Write | |||
| MergePullRequestBySquash | Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the squash merge option | Write | |||
| MergePullRequestByThreeWay | Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the three-way merge option | Write | |||
| OverridePullRequestApprovalRules | Grants permission to override all approval rules for a pull request, including approval rules created by a template | Write | |||
| PostCommentForComparedCommit | Grants permission to post a comment on the comparison between two commits | Write | |||
| PostCommentForPullRequest | Grants permission to post a comment on a pull request | Write | |||
| PostCommentReply | Grants permission to post a comment in reply to a comment on a comparison between commits or a pull request | Write | |||
| PutCommentReaction | Grants permission to post a reaction on a comment | Write | |||
| PutFile | Grants permission to add or update a file in a branch in an AWS CodeCommit repository, and generate a commit for the addition in the specified branch | Write | |||
| PutRepositoryTriggers | Grants permission to create, update, or delete triggers for a repository | Write | |||
| TagResource | Grants permission to attach resource tags to a CodeCommit resource ARN | Tagging | |||
| TestRepositoryTriggers | Grants permission to test the functionality of repository triggers by sending information to the trigger target | Write | |||
| UntagResource | Grants permission to disassociate resource tags from a CodeCommit resource ARN | Tagging | |||
| UpdateApprovalRuleTemplateContent | Grants permission to update the content of approval rule templates; does not grant permission to update content of approval rules created specifically for pull requests | Write | |||
| UpdateApprovalRuleTemplateDescription | Grants permission to update the description of approval rule templates | Write | |||
| UpdateApprovalRuleTemplateName | Grants permission to update the name of approval rule templates | Write | |||
| UpdateComment | Grants permission to update the contents of a comment if the identity matches the identity used to create the comment | Write | |||
| UpdateDefaultBranch | Grants permission to change the default branch in an AWS CodeCommit repository | Write | |||
| UpdatePullRequestApprovalRuleContent | Grants permission to update the content for approval rules created for a specific pull requests; does not grant permission to update approval rule content for rules created with an approval rule template | Write | |||
| UpdatePullRequestApprovalState | Grants permission to update the approval state for pull requests | Write | |||
| UpdatePullRequestDescription | Grants permission to update the description of a pull request | Write | |||
| UpdatePullRequestStatus | Grants permission to update the status of a pull request | Write | |||
| UpdatePullRequestTitle | Grants permission to update the title of a pull request | Write | |||
| UpdateRepositoryDescription | Grants permission to change the description of an AWS CodeCommit repository | Write | |||
| UpdateRepositoryEncryptionKey | Grants permission to change the AWS KMS encryption key used to encrypt and decrypt an AWS CodeCommit repository | Write | |||
| UpdateRepositoryName | Grants permission to change the name of an AWS CodeCommit repository | Write | |||
| UploadArchive [permission only] | Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline | Write |
Resource types defined by AWS CodeCommit
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| repository |
arn:${Partition}:codecommit:${Region}:${Account}:${RepositoryName}
|
Condition keys for AWS CodeCommit
AWS CodeCommit defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
| codecommit:References | Filters access by Git reference to specified AWS CodeCommit actions | String |
