本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS CodeStar 通知的权限和示例
以下政策声明和示例可以帮助您管理 AWS CodeStar 通知。
完全访问托管策略中的通知的相关权限
AWSCodeCommitFullAccess、AWSCodeBuildAdminAccessAWSCodeDeployFullAccess、和 AWSCodePipeline_ FullAccess 托管策略包括以下语句,允许在开发者工具控制台中完全访问通知。应用了其中一个托管策略的用户还可以创建和管理通知的 Amazon SNS 主题、订阅和取消订阅用户的主题,以及列出要选择作为通知规则目标的主题。
注意
在托管策略中,条件键 codestar-notifications:NotificationsForResource 将具有特定于服务的资源类型的值。例如,在的完全访问策略中 CodeCommit,值为arn:aws:codecommit:*。
{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:<vendor-code>:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" }
只读托管策略中的通知的相关权限
AWSCodeCommitReadOnlyAccess、AWSCodeBuildReadOnlyAccessAWSCodeDeployReadOnlyAccess、和 AWSCodePipeline_ ReadOnlyAccess 托管策略包括以下语句,允许对通知进行只读访问。例如,它们可以在 开发工具控制台中查看资源的通知,但无法创建、管理或订阅这些通知。
注意
在托管策略中,条件键 codestar-notifications:NotificationsForResource 将具有特定于服务的资源类型的值。例如,在的完全访问策略中 CodeCommit,值为arn:aws:codecommit:*。
{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:<vendor-code>:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }
其他托管策略中的通知的相关权限
AWSCodeCommitPowerUserAWSCodeBuildDeveloperAccess、和AWSCodeBuildDeveloperAccess托管策略包括以下声明,允许应用其中一个托管策略的开发者创建、编辑和订阅通知。他们无法删除通知规则或管理资源的标签。
注意
在托管策略中,条件键 codestar-notifications:NotificationsForResource 将具有特定于服务的资源类型的值。例如,在的完全访问策略中 CodeCommit,值为arn:aws:codecommit:*。
{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:<vendor-code>:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" }
示例:用于管理通知的管理员级别策略 AWS CodeStar
在此示例中,您想向 AWS 账户中的IAM用户授予对 AWS CodeStar 通知的完全访问权限,以便该用户可以查看通知规则的详细信息并列出通知规则、目标和事件类型。您还想要允许该用户添加、更新和删除通知规则。这是一个完全访问策略,等同于、AWSCodeBuildAdminAccessAWSCodeCommitFullAccessAWSCodeDeployFullAccess、和 AWSCodePipeline_ FullAccess 托管策略中包含的通知权限。与这些托管策略一样,您只应将此类策略声明附加到需要对整个 AWS 账户中的通知和通知规则具有完全管理权限的IAM用户、群组或角色。
注意
此策略包含允许 CreateNotificationRule。将此策略应用于其IAM用户或角色的任何用户都可以为 AWS 账户中通知支持的任何和所有资源类型创建 AWS CodeStar 通知规则,即使该用户自己无权访问这些资源也是如此。例如,拥有此策略的用户可以在没有访问权限的情况下为 CodeCommit 仓库创建通知 CodeCommit规则。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCodeStarNotificationsFullAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:ListNotificationRules", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe", "codestar-notifications:DeleteTarget", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:TagResource", "codestar-notifications:UntagResource" ], "Resource": "*" } ] }
示例:用于使用通知的贡献者级别策略 AWS CodeStar
在此示例中,您希望授予 day-to-day使用 AWS CodeStar 通知的权限,例如创建和订阅通知,但不允许授予更具破坏性的操作的访问权限,例如删除通知规则或目标。这等同于AWSCodeBuildDeveloperAccessAWSCodeDeployDeveloperAccess、和AWSCodeCommitPowerUser托管策略中提供的访问权限。
注意
此策略包含允许 CreateNotificationRule。将此策略应用于其IAM用户或角色的任何用户都可以为 AWS 账户中通知支持的任何和所有资源类型创建 AWS CodeStar 通知规则,即使该用户自己无权访问这些资源也是如此。例如,拥有此策略的用户可以在没有访问权限的情况下为 CodeCommit 仓库创建通知 CodeCommit规则。
{ "Version": "2012-10-17", "Sid": "AWSCodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:ListNotificationRules", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource" ], "Resource": "*" } ] }
示例:使用 AWS CodeStar 通知的 read-only-level策略
在此示例中,您想向账户中的IAM用户授予对您账户中通知规则、目标和事件类型的只读访问权限。 AWS 该示例说明了如何创建策略以允许查看这些项。这等同于AWSCodeBuildReadOnlyAccessAWSCodeCommitReadOnly、和 AWSCodePipeline_ ReadOnlyAccess 托管策略中包含的权限。
{ "Version": "2012-10-17", "Id": "CodeNotification__ReadOnly", "Statement": [ { "Sid": "Reads_API_Access", "Effect": "Allow", "Action": [ "CodeNotification:DescribeNotificationRule", "CodeNotification:ListNotificationRules", "CodeNotification:ListTargets", "CodeNotification:ListEventTypes" ], "Resource": "*" } ] }
