适用于 CodeCommit 的 Amazon 托管式策略 - Amazon CodeCommit
Amazon 托管式策略:AWSCodeCommitFullAccessAmazon 托管式策略:AWSCodeCommitPowerUserAmazon 托管式策略:AWSCodeCommitReadOnlyCodeCommit 托管式策略和通知Amazon CodeCommit 托管式策略和 Amazon CodeGuru Reviewer策略更新
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

适用于 CodeCommit 的 Amazon 托管式策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户管理型策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些策略涵盖常见使用案例,可在您的 Amazon Web Services 账户 中使用。有关 Amazon 托管策略的更多信息,请参阅《IAM 用户指南》中的Amazon 托管策略

Amazon 服务负责维护和更新 Amazon 托管式策略。您无法更改 Amazon 托管式策略中的权限。服务偶尔会向 Amazon 托管策略添加额外权限以支持新特征。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新特征或新操作可用时,服务最有可能会更新 Amazon 托管策略。服务不会从 Amazon 托管策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管策略。例如,ReadOnlyAccess Amazon 托管式策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动新特征时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅《IAM 用户指南》中的适用于工作职能的 Amazon 托管策略

Amazon 通过提供由 Amazon 创建和管理的独立 IAM 策略来满足许多常用案例的要求。这些 Amazon 托管策略将授予针对常用案例的必要权限。CodeCommit 的托管式策略还提供在其他服务(如 IAM、Amazon SNS 和 Amazon CloudWatch Events)中执行操作的权限,这是授予了相关策略的用户职责所必需的。例如,AWSCodeCommitFullAccess 策略是管理级用户策略,允许具有此策略的用户为存储库创建和管理 CloudWatch Events 规则(名称前缀为 codecommit 的规则),并为存储库相关事件通知创建和管理 Amazon SNS 主题(名称前缀为 codecommit 的主题),以及在 CodeCommit 中管理存储库。

以下 Amazon 托管式策略(可附加到账户中的用户)专门用于 CodeCommit。

Amazon 托管式策略:AWSCodeCommitFullAccess

您可以将 AWSCodeCommitFullAccess 策略附加到 IAM 身份。此策略授予对 CodeCommit 的完全访问权限。仅将此策略应用于您希望向其授予对 CodeCommit 存储库及您的 Amazon Web Services 账户中相关资源的完全控制权限(包括删除存储库的能力)的管理级用户。

AWSCodeCommitFullAccess 策略包含以下策略声明:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "codecommit:*"
          ],
          "Resource": "*"
        },
        {
          "Sid": "CloudWatchEventsCodeCommitRulesAccess",
          "Effect": "Allow",
          "Action": [
            "events:DeleteRule",
            "events:DescribeRule",
            "events:DisableRule",
            "events:EnableRule",
            "events:PutRule",
            "events:PutTargets",
            "events:RemoveTargets",
            "events:ListTargetsByRule"
          ],
          "Resource": "arn:aws:events:*:*:rule/codecommit*"
        },
        {
          "Sid": "SNSTopicAndSubscriptionAccess",
          "Effect": "Allow",
          "Action": [
            "sns:CreateTopic",
            "sns:DeleteTopic",
            "sns:Subscribe",
            "sns:Unsubscribe",
            "sns:SetTopicAttributes"
          ],
          "Resource": "arn:aws:sns:*:*:codecommit*"
        },
        {
          "Sid": "SNSTopicAndSubscriptionReadAccess",
          "Effect": "Allow",
          "Action": [
            "sns:ListTopics",
            "sns:ListSubscriptionsByTopic",
            "sns:GetTopicAttributes"
          ],
          "Resource": "*"
        },
        {
          "Sid": "LambdaReadOnlyListAccess",
          "Effect": "Allow",
          "Action": [
            "lambda:ListFunctions"
          ],
          "Resource": "*"
        },
        {
          "Sid": "IAMReadOnlyListAccess",
          "Effect": "Allow",
          "Action": [
            "iam:ListUsers"
          ],
          "Resource": "*"
        },
        {
          "Sid": "IAMReadOnlyConsoleAccess",
          "Effect": "Allow",
          "Action": [
            "iam:ListAccessKeys",
            "iam:ListSSHPublicKeys",
            "iam:ListServiceSpecificCredentials"
          ],
          "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
          "Sid": "IAMUserSSHKeys",
          "Effect": "Allow",
          "Action": [
            "iam:DeleteSSHPublicKey",
            "iam:GetSSHPublicKey",
            "iam:ListSSHPublicKeys",
            "iam:UpdateSSHPublicKey",
            "iam:UploadSSHPublicKey"
          ],
          "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
          "Sid": "IAMSelfManageServiceSpecificCredentials",
          "Effect": "Allow",
          "Action": [
            "iam:CreateServiceSpecificCredential",
            "iam:UpdateServiceSpecificCredential",
            "iam:DeleteServiceSpecificCredential",
            "iam:ResetServiceSpecificCredential"
          ],
          "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
          "Sid": "CodeStarNotificationsReadWriteAccess",
          "Effect": "Allow",
          "Action": [
            "codestar-notifications:CreateNotificationRule",
            "codestar-notifications:DescribeNotificationRule",
            "codestar-notifications:UpdateNotificationRule",
            "codestar-notifications:DeleteNotificationRule",
            "codestar-notifications:Subscribe",
            "codestar-notifications:Unsubscribe"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*"
            }
          }
        },
        {
          "Sid": "CodeStarNotificationsListAccess",
          "Effect": "Allow",
          "Action": [
            "codestar-notifications:ListNotificationRules",
            "codestar-notifications:ListTargets",
            "codestar-notifications:ListTagsforResource",
            "codestar-notifications:ListEventTypes"
          ],
          "Resource": "*"
        },
        {
          "Sid": "CodeStarNotificationsSNSTopicCreateAccess",
          "Effect": "Allow",
          "Action": [
            "sns:CreateTopic",
            "sns:SetTopicAttributes"
          ],
          "Resource": "arn:aws:sns:*:*:codestar-notifications*"
        },
        {
          "Sid": "AmazonCodeGuruReviewerFullAccess",
          "Effect": "Allow",
          "Action": [
            "codeguru-reviewer:AssociateRepository",
            "codeguru-reviewer:DescribeRepositoryAssociation",
            "codeguru-reviewer:ListRepositoryAssociations",
            "codeguru-reviewer:DisassociateRepository",
            "codeguru-reviewer:DescribeCodeReview",
            "codeguru-reviewer:ListCodeReviews"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AmazonCodeGuruReviewerSLRCreation",
          "Action": "iam:CreateServiceLinkedRole",
          "Effect": "Allow",
          "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
            }
          }
        },
        {
          "Sid": "CloudWatchEventsManagedRules",
          "Effect": "Allow",
          "Action": [
            "events:PutRule",
            "events:PutTargets",
            "events:DeleteRule",
            "events:RemoveTargets"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "events:ManagedBy": "codeguru-reviewer.amazonaws.com"
            }
          }
        },
        {
          "Sid": "CodeStarNotificationsChatbotAccess",
          "Effect": "Allow",
          "Action": [
            "chatbot:DescribeSlackChannelConfigurations",
            "chatbot:ListMicrosoftTeamsChannelConfigurations"
          ],
          "Resource": "*"
        },
        {
            "Sid": "CodeStarConnectionsReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "codestar-connections:ListConnections",
                "codestar-connections:GetConnection"
            ],
            "Resource": "arn:aws:codestar-connections:*:*:connection/*"
        }
      ]
    }

Amazon 托管式策略:AWSCodeCommitPowerUser

您可以将 AWSCodeCommitPowerUser 策略附加到您的 IAM 身份。此策略允许用户访问 CodeCommit 的所有功能和存储库相关资源,但不允许用户删除 CodeCommit 存储库或在其他 Amazon 服务(如 Amazon CloudWatch Events)中创建或删除存储库相关资源。建议对大多数用户应用此策略。

AWSCodeCommitPowerUser 策略包含以下策略声明:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "codecommit:AssociateApprovalRuleTemplateWithRepository",
            "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories",
            "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories",
            "codecommit:BatchGet*",
            "codecommit:BatchDescribe*",
            "codecommit:Create*",
            "codecommit:DeleteBranch",
            "codecommit:DeleteFile",
            "codecommit:Describe*",
            "codecommit:DisassociateApprovalRuleTemplateFromRepository",
            "codecommit:EvaluatePullRequestApprovalRules",
            "codecommit:Get*",
            "codecommit:List*",
            "codecommit:Merge*",
            "codecommit:OverridePullRequestApprovalRules",
            "codecommit:Put*",
            "codecommit:Post*",
            "codecommit:TagResource",
            "codecommit:Test*",
            "codecommit:UntagResource",
            "codecommit:Update*",
            "codecommit:GitPull",
            "codecommit:GitPush"
          ],
          "Resource": "*"
        },
        {
          "Sid": "CloudWatchEventsCodeCommitRulesAccess",
          "Effect": "Allow",
          "Action": [
            "events:DeleteRule",
            "events:DescribeRule",
            "events:DisableRule",
            "events:EnableRule",
            "events:PutRule",
            "events:PutTargets",
            "events:RemoveTargets",
            "events:ListTargetsByRule"
          ],
          "Resource": "arn:aws:events:*:*:rule/codecommit*"
        },
        {
          "Sid": "SNSTopicAndSubscriptionAccess",
          "Effect": "Allow",
          "Action": [
            "sns:Subscribe",
            "sns:Unsubscribe"
          ],
          "Resource": "arn:aws:sns:*:*:codecommit*"
        },
        {
          "Sid": "SNSTopicAndSubscriptionReadAccess",
          "Effect": "Allow",
          "Action": [
            "sns:ListTopics",
            "sns:ListSubscriptionsByTopic",
            "sns:GetTopicAttributes"
          ],
          "Resource": "*"
        },
        {
          "Sid": "LambdaReadOnlyListAccess",
          "Effect": "Allow",
          "Action": [
            "lambda:ListFunctions"
          ],
          "Resource": "*"
        },
        {
          "Sid": "IAMReadOnlyListAccess",
          "Effect": "Allow",
          "Action": [
            "iam:ListUsers"
          ],
          "Resource": "*"
        },
        {
          "Sid": "IAMReadOnlyConsoleAccess",
          "Effect": "Allow",
          "Action": [
            "iam:ListAccessKeys",
            "iam:ListSSHPublicKeys",
            "iam:ListServiceSpecificCredentials"
          ],
          "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
          "Sid": "IAMUserSSHKeys",
          "Effect": "Allow",
          "Action": [
            "iam:DeleteSSHPublicKey",
            "iam:GetSSHPublicKey",
            "iam:ListSSHPublicKeys",
            "iam:UpdateSSHPublicKey",
            "iam:UploadSSHPublicKey"
          ],
          "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
          "Sid": "IAMSelfManageServiceSpecificCredentials",
          "Effect": "Allow",
          "Action": [
            "iam:CreateServiceSpecificCredential",
            "iam:UpdateServiceSpecificCredential",
            "iam:DeleteServiceSpecificCredential",
            "iam:ResetServiceSpecificCredential"
          ],
          "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
          "Sid": "CodeStarNotificationsReadWriteAccess",
          "Effect": "Allow",
          "Action": [
            "codestar-notifications:CreateNotificationRule",
            "codestar-notifications:DescribeNotificationRule",
            "codestar-notifications:UpdateNotificationRule",
            "codestar-notifications:Subscribe",
            "codestar-notifications:Unsubscribe"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*"
            }
          }
        },
        {
          "Sid": "CodeStarNotificationsListAccess",
          "Effect": "Allow",
          "Action": [
            "codestar-notifications:ListNotificationRules",
            "codestar-notifications:ListTargets",
            "codestar-notifications:ListTagsforResource",
            "codestar-notifications:ListEventTypes"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AmazonCodeGuruReviewerFullAccess",
          "Effect": "Allow",
          "Action": [
            "codeguru-reviewer:AssociateRepository",
            "codeguru-reviewer:DescribeRepositoryAssociation",
            "codeguru-reviewer:ListRepositoryAssociations",
            "codeguru-reviewer:DisassociateRepository",
            "codeguru-reviewer:DescribeCodeReview",
            "codeguru-reviewer:ListCodeReviews"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AmazonCodeGuruReviewerSLRCreation",
          "Action": "iam:CreateServiceLinkedRole",
          "Effect": "Allow",
          "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
            }
          }
        },
        {
          "Sid": "CloudWatchEventsManagedRules",
          "Effect": "Allow",
          "Action": [
            "events:PutRule",
            "events:PutTargets",
            "events:DeleteRule",
            "events:RemoveTargets"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "events:ManagedBy": "codeguru-reviewer.amazonaws.com"
            }
          }
        },
        {
          "Sid": "CodeStarNotificationsChatbotAccess",
          "Effect": "Allow",
          "Action": [
            "chatbot:DescribeSlackChannelConfigurations",
            "chatbot:ListMicrosoftTeamsChannelConfigurations"
          ],
          "Resource": "*"
        },
        {
            "Sid": "CodeStarConnectionsReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "codestar-connections:ListConnections",
                "codestar-connections:GetConnection"
            ],
            "Resource": "arn:aws:codestar-connections:*:*:connection/*"
        }
      ]
    }

Amazon 托管式策略:AWSCodeCommitReadOnly

您可以将 AWSCodeCommitReadOnly 策略附加到 IAM 身份。该策略授予对 CodeCommit 和其他 Amazon 服务中存储库相关资源的只读访问权限,以及创建和管理他们自己的 CodeCommit 相关资源(如供 IAM 用户访问存储库时使用的 Git 凭证和 SSH 密钥)的权限。针对希望向其授予读取存储库内容的能力但不能对内容进行任何更改的用户,应用此策略。

AWSCodeCommitReadOnly 策略包含以下策略声明:

    { 
       "Version":"2012-10-17",
       "Statement":[ 
          { 
             "Effect":"Allow",
             "Action":[ 
                "codecommit:BatchGet*",
                "codecommit:BatchDescribe*",
                "codecommit:Describe*",
                "codecommit:EvaluatePullRequestApprovalRules",
                "codecommit:Get*",
                "codecommit:List*",
                "codecommit:GitPull"
             ],
             "Resource":"*"
          },
          { 
             "Sid":"CloudWatchEventsCodeCommitRulesReadOnlyAccess",
             "Effect":"Allow",
             "Action":[ 
                "events:DescribeRule",
                "events:ListTargetsByRule"
             ],
             "Resource":"arn:aws:events:*:*:rule/codecommit*"
          },
          { 
             "Sid":"SNSSubscriptionAccess",
             "Effect":"Allow",
             "Action":[ 
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sns:GetTopicAttributes"
             ],
             "Resource":"*"
          },
          { 
             "Sid":"LambdaReadOnlyListAccess",
             "Effect":"Allow",
             "Action":[ 
                "lambda:ListFunctions"
             ],
             "Resource":"*"
          },
          { 
             "Sid":"IAMReadOnlyListAccess",
             "Effect":"Allow",
             "Action":[ 
                "iam:ListUsers"
             ],
             "Resource":"*"
          },
          { 
             "Sid":"IAMReadOnlyConsoleAccess",
             "Effect":"Allow",
             "Action":[ 
                "iam:ListAccessKeys",
                "iam:ListSSHPublicKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:GetSSHPublicKey"
             ],
             "Resource":"arn:aws:iam::*:user/${aws:username}"
          },
          { 
             "Sid":"CodeStarNotificationsReadOnlyAccess",
             "Effect":"Allow",
             "Action":[ 
                "codestar-notifications:DescribeNotificationRule"
             ],
             "Resource":"*",
             "Condition":{ 
                "StringLike":{ 
                   "codestar-notifications:NotificationsForResource":"arn:aws:codecommit:*"
                }
             }
          },
          { 
             "Sid":"CodeStarNotificationsListAccess",
             "Effect":"Allow",
             "Action":[ 
                "codestar-notifications:ListNotificationRules",
                "codestar-notifications:ListEventTypes",
                "codestar-notifications:ListTargets"
             ],
             "Resource":"*"
          },
          {
             "Sid": "AmazonCodeGuruReviewerReadOnlyAccess",
             "Effect": "Allow",
             "Action": [
                "codeguru-reviewer:DescribeRepositoryAssociation",
                "codeguru-reviewer:ListRepositoryAssociations",
                "codeguru-reviewer:DescribeCodeReview",
                "codeguru-reviewer:ListCodeReviews"
             ],
             "Resource": "*"
          },
          {
            "Sid": "CodeStarConnectionsReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "codestar-connections:ListConnections",
                "codestar-connections:GetConnection"
            ],
            "Resource": "arn:aws:codestar-connections:*:*:connection/*"
        }
    ]
}

CodeCommit 托管式策略和通知

Amazon CodeCommit 支持通知功能,可以向用户通知存储库的重要更改。CodeCommit 的托管式策略包含通知功能的策略语句。有关更多信息,请参阅什么是通知?

完全访问托管策略中的通知的相关权限

AWSCodeCommitFullAccess 托管策略包含以下语句,以允许对通知进行完全访问。应用此托管策略的用户还可以创建和管理用于通知的 Amazon SNS 主题、为用户订阅和取消订阅主题、列出要选择作为通知规则目标的主题,以及列出为 Slack 配置的 Amazon Chatbot 客户端。

    {
        "Sid": "CodeStarNotificationsReadWriteAccess",
        "Effect": "Allow",
        "Action": [
            "codestar-notifications:CreateNotificationRule",
            "codestar-notifications:DescribeNotificationRule",
            "codestar-notifications:UpdateNotificationRule",
            "codestar-notifications:DeleteNotificationRule",
            "codestar-notifications:Subscribe",
            "codestar-notifications:Unsubscribe"
        ],
        "Resource": "*",
        "Condition" : {
            "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} 
        }
    },    
    {
        "Sid": "CodeStarNotificationsListAccess",
        "Effect": "Allow",
        "Action": [
            "codestar-notifications:ListNotificationRules",
            "codestar-notifications:ListTargets",
            "codestar-notifications:ListTagsforResource,"
            "codestar-notifications:ListEventTypes"
        ],
        "Resource": "*"
    },
    {
        "Sid": "CodeStarNotificationsSNSTopicCreateAccess",
        "Effect": "Allow",
        "Action": [
            "sns:CreateTopic",
            "sns:SetTopicAttributes"
        ],
        "Resource": "arn:aws:sns:*:*:codestar-notifications*"
    },
    {
        "Sid": "CodeStarNotificationsChatbotAccess",
        "Effect": "Allow",
        "Action": [
            "chatbot:DescribeSlackChannelConfigurations",
            "chatbot:ListMicrosoftTeamsChannelConfigurations"
          ],
       "Resource": "*"
    }

只读托管策略中的通知的相关权限

AWSCodeCommitReadOnlyAccess 托管策略包含以下语句,以允许对通知进行只读访问。应用此托管策略的用户可以查看资源的通知,但无法创建、管理或订阅这些通知。

   {
        "Sid": "CodeStarNotificationsPowerUserAccess",
        "Effect": "Allow",
        "Action": [
            "codestar-notifications:DescribeNotificationRule"
        ],
        "Resource": "*",
        "Condition" : {
            "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit:*"} 
        }
    },    
    {
        "Sid": "CodeStarNotificationsListAccess",
        "Effect": "Allow",
        "Action": [
            "codestar-notifications:ListNotificationRules",
            "codestar-notifications:ListEventTypes",
            "codestar-notifications:ListTargets"
        ],
        "Resource": "*"
    }

其他托管策略中的通知的相关权限

AWSCodeCommitPowerUser 托管策略包含以下语句,以允许用户创建、编辑和订阅通知。用户无法删除通知规则或管理资源的标签。

    {
        "Sid": "CodeStarNotificationsReadWriteAccess",
        "Effect": "Allow",
        "Action": [
            "codestar-notifications:CreateNotificationRule",
            "codestar-notifications:DescribeNotificationRule",
            "codestar-notifications:UpdateNotificationRule",
            "codestar-notifications:DeleteNotificationRule",
            "codestar-notifications:Subscribe",
            "codestar-notifications:Unsubscribe"
        ],
        "Resource": "*",
        "Condition" : {
            "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codecommit*"} 
        }
    },    
    {
        "Sid": "CodeStarNotificationsListAccess",
        "Effect": "Allow",
        "Action": [
            "codestar-notifications:ListNotificationRules",
            "codestar-notifications:ListTargets",
            "codestar-notifications:ListTagsforResource",
            "codestar-notifications:ListEventTypes"
        ],
        "Resource": "*"
    },
    {
        "Sid": "SNSTopicListAccess",
        "Effect": "Allow",
        "Action": [
            "sns:ListTopics"
        ],
        "Resource": "*"
    },
    {
        "Sid": "CodeStarNotificationsChatbotAccess",
        "Effect": "Allow",
        "Action": [
            "chatbot:DescribeSlackChannelConfigurations",
            "chatbot:ListMicrosoftTeamsChannelConfigurations"
          ],
       "Resource": "*"
    }

有关 IAM 和通知的更多信息,请参阅 AWS CodeStar 通知的身份和访问管理

Amazon CodeCommit 托管式策略和 Amazon CodeGuru Reviewer

CodeCommit 支持 Amazon CodeGuru Reviewer,后者是一项自动代码审查服务,它使用程序分析和机器学习来检测 Java 或 Python 代码中的常见问题并提供修复建议。CodeCommit 托管式策略包含针对 CodeGuru Reviewer 功能的策略语句。有关更多信息,请参阅什么是 Amazon CodeGuru Reviewer

AWSCodeCommitFullAccess 中与 CodeGuru Reviewer 相关的权限

AWSCodeCommitFullAccess 托管式策略包含以下语句,以允许将 CodeGuru Reviewer 与 CodeCommit 存储库关联和取消关联。应用此托管式策略的用户还可以查看 CodeCommit 存储库与 CodeGuru Reviewer 之间的关联状态,并查看拉取请求的审核作业状态。

    {
      "Sid": "AmazonCodeGuruReviewerFullAccess",
      "Effect": "Allow",
      "Action": [
        "codeguru-reviewer:AssociateRepository",
        "codeguru-reviewer:DescribeRepositoryAssociation",
        "codeguru-reviewer:ListRepositoryAssociations",
        "codeguru-reviewer:DisassociateRepository",
        "codeguru-reviewer:DescribeCodeReview",
        "codeguru-reviewer:ListCodeReviews"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonCodeGuruReviewerSLRCreation",
      "Action": "iam:CreateServiceLinkedRole",
      "Effect": "Allow",
      "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
      "Condition": {
        "StringLike": {
          "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
        }
      }
    },
    {
      "Sid": "CloudWatchEventsManagedRules",
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:PutTargets",
        "events:DeleteRule",
        "events:RemoveTargets"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "events:ManagedBy": "codeguru-reviewer.amazonaws.com"
        }
      }
    }

AWSCodeCommitPowerUser 中与 CodeGuru Reviewer 相关的权限

AWSCodeCommitPowerUser 托管式策略包含以下语句,以允许用户将存储库与 CodeGuru 关联和取消关联,并查看拉取请求的审核作业状态。

    {
      "Sid": "AmazonCodeGuruReviewerFullAccess",
      "Effect": "Allow",
      "Action": [
        "codeguru-reviewer:AssociateRepository",
        "codeguru-reviewer:DescribeRepositoryAssociation",
        "codeguru-reviewer:ListRepositoryAssociations",
        "codeguru-reviewer:DisassociateRepository",
        "codeguru-reviewer:DescribeCodeReview",
        "codeguru-reviewer:ListCodeReviews"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AmazonCodeGuruReviewerSLRCreation",
      "Action": "iam:CreateServiceLinkedRole",
      "Effect": "Allow",
      "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer",
      "Condition": {
        "StringLike": {
          "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com"
        }
      }
    },
    {
      "Sid": "CloudWatchEventsManagedRules",
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:PutTargets",
        "events:DeleteRule",
        "events:RemoveTargets"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "events:ManagedBy": "codeguru-reviewer.amazonaws.com"
        }
      }
    }

AWSCodeCommitReadOnly 中与 CodeGuru Reviewer 相关的权限

AWSCodeCommitReadOnlyAccess 托管式策略包括以下语句,允许对 CodeGuru Reviewer 关联状态进行只读访问并查看拉取请求的审核作业状态。应用了此托管策略的用户无法关联或取消关联存储库。

     {
      "Sid": "AmazonCodeGuruReviewerReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
            "codeguru-reviewer:DescribeRepositoryAssociation",
            "codeguru-reviewer:ListRepositoryAssociations",
            "codeguru-reviewer:DescribeCodeReview",
            "codeguru-reviewer:ListCodeReviews"
      ],
      "Resource": "*"
    }

Amazon CodeGuru Reviewer 服务相关角色

当您将存储库与 CodeGuru Reviewer 关联时,系统会创建一个服务相关角色,以便 CodeGuru Reviewer 能检测拉取请求中 Java 或 Python 代码的问题并提供修复建议。该服务相关角色命名为 AWSServiceRoleForAmazonCodeGuruReviewer。有关更多信息,请参阅使用面向 Amazon CodeGuru Reviewer 的服务相关角色

有关更多信息,请参阅《IAM 用户指南》中的 Amazon 托管策略

CodeCommit 对 Amazon 托管式策略的更新

查看有关自此服务开始跟踪这些更改起,CodeCommit 的 Amazon 托管式策略更新的详细信息。要获得有关此页面更改的自动提示,请订阅 Amazon CodeCommit 用户指南文档历史记录 的 RSS 源。

更改 说明 日期

Amazon 托管式策略:AWSCodeCommitFullAccessAmazon 托管式策略:AWSCodeCommitPowerUser:对现有策略的更新

CodeCommit 为这些策略增加了一项权限,以支持使用 Amazon Chatbot 的额外通知类型。

AWSCodeCommitPowerUser 和 AWSCodeCommitFullAccess 策略已更改,增加了一项权限 chatbot:ListMicrosoftTeamsChannelConfigurations

 2023 年 5 月 16 日

Amazon 托管式策略:AWSCodeCommitReadOnly – 现有策略更新

CodeCommit 从策略中删除了一个重复的权限。

AWSCodeCommitReadOnly 已更改,删除了一个重复权限 "iam:ListAccessKeys"

 2021 年 8 月 18 日

CodeCommit 开始跟踪更改

CodeCommit 为其 Amazon 托管式策略开启了跟踪更改。

 2021 年 8 月 18 日