Using identity-based policies (IAM Policies) for CodeCommit - Amazon CodeCommit
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using identity-based policies (IAM Policies) for CodeCommit

The following examples of identity-based policies demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) to grant permissions to perform operations on CodeCommit resources.


We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your CodeCommit resources. For more information, see Overview of managing access permissions to your CodeCommit resources.

The following is an example of an identity-based permissions policy:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "codecommit:BatchGetRepositories" ], "Resource" : [ "arn:aws:codecommit:us-east-2:111111111111:MyDestinationRepo", "arn:aws:codecommit:us-east-2:111111111111:MyDemo*" ] } ] }

This policy has one statement that allows a user to get information about the CodeCommit repository named MyDestinationRepo and all CodeCommit repositories that start with the name MyDemo in the us-east-2 Region.

Permissions required to use the CodeCommit console

To see the required permissions for each CodeCommit API operation, and for more information about CodeCommit operations, see CodeCommit permissions reference.

To allow users to use the CodeCommit console, the administrator must grant them permissions for CodeCommit actions. For example, you could attach the AWSCodeCommitPowerUser managed policy or its equivalent to a user or group.

In addition to permissions granted to users by identity-based policies, CodeCommit requires permissions for Amazon Key Management Service (Amazon KMS) actions. An IAM user does not need explicit Allow permissions for these actions, but the user must not have any policies attached that set the following permissions to Deny:

"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey"

For more information about encryption and CodeCommit, see Amazon KMS and encryption.

Viewing resources in the console

The CodeCommit console requires the ListRepositories permission to display a list of repositories for your Amazon Web Services account in the Amazon Web Services Region where you are signed in. The console also includes a Go to resource function to quickly perform a case insensitive search for resources. This search is performed in your Amazon Web Services account in the Amazon Web Services Region where you are signed in. The following resources are displayed across the following services:

  • Amazon CodeBuild: Build projects

  • Amazon CodeCommit: Repositories

  • Amazon CodeDeploy: Applications

  • Amazon CodePipeline: Pipelines

To perform this search across resources in all services, you must have the following permissions:

  • CodeBuild: ListProjects

  • CodeCommit: ListRepositories

  • CodeDeploy: ListApplications

  • CodePipeline: ListPipelines

Results are not returned for a service's resources if you do not have permissions for that service. Even if you have permissions for viewing resources, specific resources will not be returned if there is an explicit Deny to view those resources.