为 使用基于身份的策略(IAM 策略) CodeCommit
以下基于身份的策略示例说明账户管理员如何将权限策略附加到 IAM 身份(即用户、组和角色),从而授予对 CodeCommit 资源执行操作的权限。
我们建议您首先阅读以下介绍性主题,这些主题说明了可用于管理 CodeCommit 资源访问的基本概念和选项。有关更多信息,请参阅管理 CodeCommit 资源的访问权限的概述.
下面是基于身份的权限策略的示例:
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:BatchGetRepositories" ], "Resource" : [ "arn:aws:codecommit:us-east-2:111111111111:MyDestinationRepo", "arn:aws:codecommit:us-east-2:111111111111:MyDemo*" ] } ] }
此策略有一条语句允许用户获取有关 CodeCommit 区域中名为 MyDestinationRepo 的 CodeCommit 存储库以及名称以 MyDemo 开头的所有 us-east-2 存储库的信息。
使用 CodeCommit 控制台所需的权限
要查看每个 CodeCommit API 操作所需的权限以及有关 CodeCommit 操作的更多信息,请参阅CodeCommit 权限参考.
要允许用户使用 CodeCommit 控制台,管理员必须授予他们执行 CodeCommit 操作的权限。例如,您可以将 AWSCodeCommitPowerUser 托管策略或其等效策略附加到用户或组。
除了通过基于身份的策略授予用户的权限外,CodeCommit 还需要执行 AWS Key Management Service (AWS KMS) 操作的权限。IAM
用户不需要这些操作的显式 Allow 权限,但用户不能附加任何将以下权限设为 Deny: 的策略:
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey"
有关加密和 CodeCommit 的更多信息,请参阅AWS KMS 和加密.
在控制台中查看资源
CodeCommit 控制台需要 ListRepositories 权限,以显示您的 AWS 账户在所登录的 AWS 区域中的存储库列表。控制台还包括 Go to resource (转到资源) 函数,用于快速对资源执行不区分大小写的搜索。此搜索通过您的 AWS 账户,在您登录的 AWS 区域中执行。将显示以下服务中的以下资源:
-
AWS CodeBuild:构建项目
-
AWS CodeCommit:存储库
-
AWS CodeDeploy:应用程序
-
AWS CodePipeline:管道
要在所有服务中跨资源执行此搜索,您必须具有如下权限:
-
CodeBuild:
ListProjects -
CodeCommit:
ListRepositories -
CodeDeploy:
ListApplications -
CodePipeline:
ListPipelines
如果您没有针对某个服务的权限,搜索将不会针对该服务的资源返回结果。即使您有权限查看资源,但如果特定资源明确 Deny 查看,搜索也不会返回这些资源。
适用于 的 AWS 托管(预定义)策略CodeCommit
AWS 通过提供由 IAM 创建和管理的独立 AWS. 策略来解决许多常用案例。这些 AWS 托管策略将授予针对常用案例的必要权限。CodeCommit 的托管策略还提供在其他服务(如
IAM、Amazon SNS 和 Amazon CloudWatch Events)中执行操作的权限,这是授予了相关策略的用户职责所必需的。例如,AWSCodeCommitFullAccess
策略是管理级用户策略,允许具有此策略的用户为存储库创建和管理 CloudWatch Events 规则(名称前缀为 codecommit 的规则),并为存储库相关事件通知创建和管理 Amazon SNS 主题(名称前缀为 codecommit 的主题),以及在 CodeCommit. 中管理存储库。
以下 AWS 托管策略(可附加到账户中的用户)特定于 CodeCommit.
主题
AWSCodeCommitFullAccess
AWSCodeCommitFullAccess – 授予对 的完全访问权限CodeCommit。仅将此策略应用于您希望向其授予对 CodeCommit 存储库及您的 AWS 账户中的相关资源的完全控制权限(包括删除存储库的能力)的管理级用户。
AWSCodeCommitFullAccess 策略包含以下策略语句:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:*" ], "Resource": "*" }, { "Sid": "CloudWatchEventsCodeCommitRulesAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/codecommit*" }, { "Sid": "SNSTopicAndSubscriptionAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:DeleteTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codecommit*" }, { "Sid": "SNSTopicAndSubscriptionReadAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "LambdaReadOnlyListAccess", "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Sid": "IAMReadOnlyListAccess", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "*" }, { "Sid": "IAMReadOnlyConsoleAccess", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMUserSSHKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMSelfManageServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ] }
AWSCodeCommitPowerUser
AWSCodeCommitPowerUser – 允许用户访问 CodeCommit 和存储库相关资源的所有功能,但不允许删除 CodeCommit 存储库或在其他 AWS 服务(如 Amazon CloudWatch Events.)中创建或删除存储库相关资源。建议对大多数用户应用此策略。
AWSCodeCommitPowerUser 策略包含以下策略语句:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:AssociateApprovalRuleTemplateWithRepository", "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", "codecommit:BatchGet*", "codecommit:BatchDescribe*", "codecommit:Create*", "codecommit:DeleteBranch", "codecommit:DeleteFile", "codecommit:Describe*", "codecommit:DisassociateApprovalRuleTemplateFromRepository", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get*", "codecommit:List*", "codecommit:Merge*", "codecommit:OverridePullRequestApprovalRules", "codecommit:Put*", "codecommit:Post*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*", "codecommit:GitPull", "codecommit:GitPush" ], "Resource": "*" }, { "Sid": "CloudWatchEventsCodeCommitRulesAccess", "Effect": "Allow", "Action": [ "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:ListTargetsByRule" ], "Resource": "arn:aws:events:*:*:rule/codecommit*" }, { "Sid": "SNSTopicAndSubscriptionAccess", "Effect": "Allow", "Action": [ "sns:Subscribe", "sns:Unsubscribe" ], "Resource": "arn:aws:sns:*:*:codecommit*" }, { "Sid": "SNSTopicAndSubscriptionReadAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "LambdaReadOnlyListAccess", "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Sid": "IAMReadOnlyListAccess", "Effect": "Allow", "Action": [ "iam:ListUsers" ], "Resource": "*" }, { "Sid": "IAMReadOnlyConsoleAccess", "Effect": "Allow", "Action": [ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMUserSSHKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "IAMSelfManageServiceSpecificCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ResetServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ] }
AWSCodeCommitReadOnly
AWSCodeCommitReadOnly – 授予对 CodeCommit 和其他 AWS 服务中的存储库相关资源的只读访问权限以及创建和管理自己的 CodeCommit 相关资源(如供其 IAM 用户在访问存储库时使用的 Git 凭证和 SSH 密钥)的能力。针对希望向其授予读取存储库内容的能力但不能对内容进行任何更改的用户,应用此策略。
AWSCodeCommitReadOnly 策略包含以下策略语句:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "codecommit:BatchGet*", "codecommit:BatchDescribe*", "codecommit:Describe*", "codecommit:EvaluatePullRequestApprovalRules", "codecommit:Get*", "codecommit:List*", "codecommit:GitPull" ], "Resource":"*" }, { "Sid":"CloudWatchEventsCodeCommitRulesReadOnlyAccess", "Effect":"Allow", "Action":[ "events:DescribeRule", "events:ListTargetsByRule" ], "Resource":"arn:aws:events:*:*:rule/codecommit*" }, { "Sid":"SNSSubscriptionAccess", "Effect":"Allow", "Action":[ "sns:ListTopics", "sns:ListSubscriptionsByTopic", "sns:GetTopicAttributes" ], "Resource":"*" }, { "Sid":"LambdaReadOnlyListAccess", "Effect":"Allow", "Action":[ "lambda:ListFunctions" ], "Resource":"*" }, { "Sid":"IAMReadOnlyListAccess", "Effect":"Allow", "Action":[ "iam:ListUsers" ], "Resource":"*" }, { "Sid":"IAMReadOnlyConsoleAccess", "Effect":"Allow", "Action":[ "iam:ListAccessKeys", "iam:ListSSHPublicKeys", "iam:ListServiceSpecificCredentials", "iam:ListAccessKeys", "iam:GetSSHPublicKey" ], "Resource":"arn:aws:iam::*:user/${aws:username}" }, { "Sid":"CodeStarNotificationsReadOnlyAccess", "Effect":"Allow", "Action":[ "codestar-notifications:DescribeNotificationRule" ], "Resource":"*", "Condition":{ "StringLike":{ "codestar-notifications:NotificationsForResource":"arn:aws:codecommit:*" } } }, { "Sid":"CodeStarNotificationsListAccess", "Effect":"Allow", "Action":[ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource":"*" }, { "Sid": "AmazonCodeGuruReviewerReadOnlyAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" } ] }
CodeCommit managed policies and notifications
AWS CodeCommit supports notifications, which can notify users of important changes to repositories. Managed policies for CodeCommit include policy statements for notification functionality. For more information, see What are notifications?.
Permissions related to notifications in full access managed policies
The AWSCodeCommitFullAccess managed policy includes the following statements
to allow full access to notifications. Users with this managed policy applied can
also
create and manage Amazon SNS topics for notifications, subscribe and unsubscribe users
to
topics, list topics to choose as targets for notification rules, and list AWS Chatbot
clients configured for Slack.
{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource," "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }
Permissions related to notifications in read-only managed policies
The AWSCodeCommitReadOnlyAccess managed policy includes the following
statements to allow read-only access to notifications. Users with this managed policy
applied can view notifications for resources, but cannot create, manage, or subscribe
to
them.
{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }
Permissions related to notifications in other managed policies
The AWSCodeCommitPowerUser managed policy includes the following statements
to allow users to create, edit, and subscribe to notifications. Users cannot delete
notification rules or manage tags for resources.
{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }
For more information about IAM and notifications, see Identity and Access Management for AWS CodeStar Notifications.
AWS CodeCommit 托管策略和 Amazon CodeGuru Reviewer
CodeCommit 支持 Amazon CodeGuru Reviewer,后者是一项自动代码审查服务,它使用程序分析和机器学习来检测 Java 或 Python 代码中的常见问题并推荐修复方法。CodeCommit 托管策略包含 CodeGuru Reviewer 功能的策略语句。有关更多信息,请参阅什么是 Amazon CodeGuru Reviewer。
中与 CodeGuru Reviewer 相关的权限AWSCodeCommitFullAccess
AWSCodeCommitFullAccess 托管策略包含以下语句,以允许将 CodeGuru Reviewer 与 CodeCommit 存储库关联和取消关联。已应用此托管策略的用户还可以查看 CodeCommit
存储库和 CodeGuru Reviewer 之间的关联状态并查看拉取请求的审核作业的状态。
{ "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }
中与 CodeGuru Reviewer 相关的权限AWSCodeCommitPowerUser
托管策略包含以下语句,以允许用户将存储库与 AWSCodeCommitPowerUser 关联和取消关联、查看关联状态以及查看拉取请求的审核作业的状态。CodeGuru Reviewer
{ "Sid": "AmazonCodeGuruReviewerFullAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:AssociateRepository", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DisassociateRepository", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "AmazonCodeGuruReviewerSLRCreation", "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", "Condition": { "StringLike": { "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" } } }, { "Sid": "CloudWatchEventsManagedRules", "Effect": "Allow", "Action": [ "events:PutRule", "events:PutTargets", "events:DeleteRule", "events:RemoveTargets" ], "Resource": "*", "Condition": { "StringEquals": { "events:ManagedBy": "codeguru-reviewer.amazonaws.com" } } }
中与 CodeGuru Reviewer 相关的权限AWSCodeCommitReadOnly
托管策略包含以下语句,以允许对 AWSCodeCommitReadOnlyAccess 关联状态进行只读访问并查看拉取请求的审核作业的状态。CodeGuru Reviewer应用了此托管策略的用户无法关联或取消关联存储库。
{ "Sid": "AmazonCodeGuruReviewerReadOnlyAccess", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }
Amazon CodeGuru Reviewer 服务相关角色
当您将存储库与 CodeGuru Reviewer 关联时,将创建一个服务相关角色,以便 CodeGuru Reviewer 可以检测拉取请求中 Java 或 Python 代码的问题并推荐修复方法。服务相关角色命名为 AWSServiceRoleForAmazonCodeGuruReviewer。有关更多信息,请参阅为 Amazon CodeGuru Reviewer 使用服务相关角色。
有关更多信息,请参阅 https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies 中的 IAM 用户指南AWS 托管策略.
客户管理的策略示例
您可以创建自己的自定义 IAM 策略,以授予 CodeCommit 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。您还可以创建自己的自定义 IAM 策略以便集成 CodeCommit 和其他 AWS 服务。
客户托管身份策略示例
以下示例 IAM 策略授予执行各种 CodeCommit 操作的权限。可以使用它们限制 CodeCommit 用户和角色的 IAM 访问。这些策略控制使用 CodeCommit 控制台、 AWSAPI、 SDKs 或 执行操作的能力AWS CLI。
所有示例都使用 美国西部(俄勒冈)区域 (us-west-2) 并包含虚构的账户 IDs。
示例
示例 1:允许用户在单个 AWS 区域中CodeCommit执行操作
以下权限策略使用通配符 ("codecommit:*") 以允许用户在 CodeCommit 区域中(而不是在其他 us-east-2 区域中)执行所有 AWS 操作。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codecommit:*", "Resource": "arn:aws:codecommit:us-east-2:111111111111:*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-2" } } }, { "Effect": "Allow", "Action": "codecommit:ListRepositories", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "us-east-2" } } } ] }
示例 2:允许用户对单个存储库使用 Git
在 CodeCommit 中,GitPull IAM 策略权限适用于从 CodeCommit 检索数据的任何 Git 客户端命令,包括 git fetch、git clone 等。同样,GitPush IAM 策略权限适用于将数据发送到 CodeCommit. 的任何 Git 客户端命令。例如,如果 GitPush IAM 策略权限设置为 Allow,则用户可以使用 Git 协议推送分支删除。对该 DeleteBranch 用户的 IAM 操作应用的任何权限都不会影响推送。DeleteBranch 权限适用于使用 控制台AWS CLI、、 SDKs和 API 执行的操作,但不适用于使用 Git 协议执行的操作。
下面的示例允许指定用户对名为 CodeCommit 的 MyDemoRepo: 存储库执行提取和推送操作:
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:GitPull", "codecommit:GitPush" ], "Resource" : "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo" } ] }
示例 3:允许从指定 IP 地址范围连接的用户访问 存储库
您可以创建策略来只允许其 IP 地址位于特定 IP 地址范围内的用户连接 CodeCommit 存储库。可通过两种等效方法来实现此目的。一种是创建 Deny 策略,当用户 IP 地址不在特定块内时禁止 CodeCommit 操作;另一种是创建 Allow 策略,当用户 IP 地址在特定块内时允许 CodeCommit 操作。
您可以创建 Deny 策略,拒绝在特定 IP 范围之外的所有用户的访问。例如,您可以向需要访问存储库的所有用户附加 AWSCodeCommitPowerUser 托管策略和客户托管策略。下面的示例策略拒绝其
IP 地址不在指定 IP 地址块 203.0.113.0/16 内的用户的所有 CodeCommit 权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:*" ], "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] }
下面的示例策略允许具有 CodeCommit 托管策略的等效权限的指定用户在其 IP 地址位于指定的地址块 203.0.113.0/16 内时访问名为 MyDemoRepo 的 AWSCodeCommitPowerUser 存储库:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:CreateBranch", "codecommit:CreateRepository", "codecommit:Get*", "codecommit:GitPull", "codecommit:GitPush", "codecommit:List*", "codecommit:Put*", "codecommit:Post*", "codecommit:Merge*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "IpAddress": { "aws:SourceIp": [ "203.0.113.0/16" ] } } } ] }
示例 4:拒绝或允许对分支执行操作
您可以创建一条策略,拒绝用户在一个或多个分支上执行指定操作的权限。或者,您可以创建一条策略,允许在一个或多个分支上执行某些操作,但在该存储库的其他分支上则不允许执行这些操作。这些策略可与相应的托管 (预定义) 策略结合使用。有关更多信息,请参阅限制推送和合并到 中的分支 AWS CodeCommit.
例如,您可以创建一个Deny策略,拒绝用户更改名为 main 的存储库中名为 的分支,包括删除该分支。MyDemoRepo。 您可以将此策略与 AWSCodeCommitPowerUser 托管策略结合使用。应用了这两个策略的用户将能够创建和删除分支、创建拉取请求以及 AWSCodeCommitPowerUser 允许的所有其他操作,但他们无法将更改推送到名为 main 的分支、在控制台的主CodeCommit分支中添加或编辑文件,或将分支或拉取请求合并到主分支中。由于 Deny 应用于 GitPush,您必须在该策略中包含 Null 语句,当用户从本地存储库进行推送时,分析初始 GitPush 调用是否有效。
如果要创建应用于您账户的所有存储库中名为 mainAWS 的所有分支的策略,对于 Resource,请指定星号 ( * ) 而不是存储库 ARN。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codecommit:GitPush", "codecommit:DeleteBranch", "codecommit:PutFile", "codecommit:Merge*" ], "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/main" ] }, "Null": { "codecommit:References": "false" } } } ] }
以下示例策略允许用户对 AWS 账户的所有存储库中名为 main 的分支进行更改。它不允许更改任何其他分支。您可以将此策略与 AWSCodeCommitReadOnly
托管策略结合使用,以允许自动推送到主分支中的存储库。由于效果为 Allow,所以此示例策略无法与 AWSCodeCommitPowerUser. 这样的托管策略结合使用。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPush", "codecommit:Merge*" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "codecommit:References": [ "refs/heads/main" ] } } } ] }
示例 5:拒绝或允许对带标签的存储库执行操作
您可以创建一个使用与存储库关联的 AWS 标签来允许或拒绝对这些存储库执行操作的策略,然后将该策略应用于为管理 IAM 用户而配置的 IAM 组。例如,您可以创建一个策略,拒绝对具有CodeCommit标签键
AWSStatus 和密钥值 的任何存储库执行所有 操作,然后将该策略应用于您为常规开发人员 (Developers)。 然后,您需要确保使用这些已标记存储库的开发人员不是该常规的成员 Developers 组,但属于未应用限制性策略 () IAMSecretDevelopers的其他组。
以下示例拒绝对使用密钥CodeCommit状态和密钥值 密钥标记的存储库执行所有 操作:
{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Deny", "Action" : "codecommit:*" "Resource" : "*", "Condition" : { "StringEquals" : "aws:ResourceTag/Status": "Secret" } } ] }
您可以通过指定特定存储库而不是所有存储库作为资源来进一步优化此策略。您还可以创建策略以允许对未使用特定标签标记的所有存储库执行 CodeCommit 操作。例如,以下策略为除了使用指定标签标记的存储库以外的所有其他存储库提供与 AWSCodeCommitPowerUser 等效的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codecommit:BatchGetRepositories", "codecommit:CreateBranch", "codecommit:CreateRepository", "codecommit:Get*", "codecommit:GitPull", "codecommit:GitPush", "codecommit:List*", "codecommit:Put*", "codecommit:TagResource", "codecommit:Test*", "codecommit:UntagResource", "codecommit:Update*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceTag/Status": "Secret", "aws:ResourceTag/Team": "Saanvi" } } } ] }
客户托管集成策略示例
本节提供的示例客户托管用户策略授予在 CodeCommit 和其他 AWS 服务之间进行集成的权限。有关允许对 CodeCommit 存储库进行跨账户访问的特定策略示例,请参阅配置跨帐户访问 AWS CodeCommit 使用角色的存储库.
在需要 AWS 区域时,所有示例都使用 美国西部(俄勒冈)区域 (us-west-2并且包含虚构的账户 IDs。
示例
示例 1:创建允许对 Amazon SNS 主题进行跨账户访问的策略
您可以对 CodeCommit 存储库进行配置,以使代码推送或其他事件能够触发操作,例如从 Amazon Simple Notification Service ( (Amazon SNS).) 发送通知。如果使用创建 Amazon SNS 存储库的账户创建 CodeCommit 主题,则无需配置其他 IAM 策略或权限。您可以创建主题,然后为存储库创建触发器。有关更多信息,请参阅为 Amazon SNS 主题创建触发器.
但是,如果要将触发器配置为使用其他 Amazon SNS 账户中的 AWS 主题,则必须先为该主题配置允许 CodeCommit 向该主题发布内容的策略。从其他账户打开
Amazon SNS 控制台,从列表中选择该主题,对于 Other topic actions (其他主题操作),选择 Edit topic policy (编辑主题策略). 在 Advanced 选项卡上,修改 主题的策略CodeCommit以允许 向该主题发布消息。例如,如果策略是默认策略,则您可以按如下方式修改策略,从而更改 中的项目 red italic text ,用于匹配您的存储库、Amazon SNS主题和账户的值:
{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__default_statement_ID", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "sns:Subscribe", "sns:ListSubscriptionsByTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:Publish", "sns:RemovePermission", "sns:AddPermission", "sns:Receive", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", "Condition": { "StringEquals": { "AWS:SourceOwner": "111111111111" } } }, { "Sid": "CodeCommit-Policy_ID", "Effect": "Allow", "Principal": { "Service": "codecommit.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:us-east-2:111111111111:NotMySNSTopic", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "AWS:SourceAccount": "111111111111" } } } ] }
示例 2:创建 Amazon Simple Notification Service (Amazon SNS) 主题策略Amazon CloudWatch Events以允许 向 主题发布CodeCommit事件
您可以将 CloudWatch Events 配置为在事件(包括 Amazon SNS 事件)发生时发布到 CodeCommit 主题。为此,您必须确保 CloudWatch Events 有权将事件发布到您的 Amazon SNS 主题,方式是通过为主题创建策略或修改主题的现有策略,类似于以下内容:
{ Version":"2012-10-17", "Id":"__default_policy_ID", "Statement":[ { "Sid":"__default_statement_ID", "Effect":"Allow", "Principal":"{"AWS":"*"}, "Action": "sns:Publish" ] "Resource":"arn:aws:sns:us-east-2:123456789012:MyTopic", "Condition":{ "StringEquals":{"AWS:SourceOwner":123456789012"} } }, { "Sid":"Allow_Publish_Events", "Effect":"Allow", "Principal":{"Service":"events.amazonaws.com"}, "Action":"sns:Publish", "Resource":"arn:aws:sns:us-east-2:123456789012:MyTopic" } ] }
有关 CodeCommit 和 CloudWatch Events 的更多信息,请参阅受支持服务的 CloudWatch Events 事件示例. 有关 IAM 和 策略语言的更多信息,请参阅 IAM JSON 策略语言的语法。
示例 3:为与AWS Lambda触发器CodeCommit的集成创建策略
您可以配置CodeCommit存储库以使代码推送或其他事件能够触发操作,例如调用 中的 函数AWS Lambda。有关更多信息,请参阅为 Lambda 函数创建触发器. 此信息特定于触发器而不是 CloudWatch Events.
如果您需要让触发器直接运行 Lambda 函数(而不是使用 Amazon SNS 主题调用 Lambda 函数),而且您未在 Lambda 控制台中配置该触发器,则必须在该函数的资源策略中包含类似以下内容的策略:
{ "Statement":{ "StatementId":"Id-1", "Action":"lambda:InvokeFunction", "Principal":"codecommit.amazonaws.com", "SourceArn":"arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo", "SourceAccount":"111111111111" } }
手动配置调用 CodeCommit 函数的Lambda触发器时,您还必须使用 Lambda AddPermission 命令为 授予CodeCommit调用 函数的权限。有关示例,请参阅允许 CodeCommit 运行 Lambda 函数的为现有的 Lambda 函数创建触发器.部分。
有关 Lambda 函数的资源策略的更多信息,请参阅 AddPermission 开发人员指南 中的 AWS Lambda 和 拉取/推送事件模型。