Amazon CodeCommit is no longer available to new customers. Existing customers of
Amazon CodeCommit can continue to use the service as normal.
Learn more"
Customer managed policy examples
You can create your own custom IAM policies to allow permissions for CodeCommit actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions. You can also create your own custom IAM policies for integration between CodeCommit and other Amazon services.
Customer managed identity policy examples
The following example IAM policies grant permissions for various CodeCommit actions. Use them to limit CodeCommit access for your IAM users and roles. These policies control the ability to perform actions with the CodeCommit console, API, Amazon SDKs, or the Amazon CLI.
Note
All examples use the US West (Oregon) Region (us-west-2) and contain fictitious account IDs.
Examples
Example 1: Allow a user to perform CodeCommit operations in a single Amazon Web Services Region
The following permissions policy uses a wildcard character
("codecommit:*") to allow users to perform all CodeCommit
actions in the us-east-2 Region and not from other Amazon Web Services Regions.
Example 2: Allow a user to use Git for a single repository
In CodeCommit, the GitPull IAM policy permissions apply to any
Git client command where data is retrieved from CodeCommit, including
git fetch, git clone, and so on.
Similarly, the GitPush IAM policy permissions apply to any
Git client command where data is sent to CodeCommit. For example, if the
GitPush IAM policy permission is set to
Allow, a user can push the deletion of a branch using the
Git protocol. That push is unaffected by any permissions applied to the
DeleteBranch operation for that IAM user. The
DeleteBranch permission applies to actions performed with
the console, the Amazon CLI, the SDKs, and the API, but not the Git protocol.
The following example allows the specified user to pull from, and push to,
the CodeCommit repository named MyDemoRepo:
Example 3: Allow a user connecting from a specified IP address range access to a repository
You can create a policy that only allows users to connect to a CodeCommit
repository if their IP address is within a certain IP address range. There
are two equally valid approaches to this. You can create a Deny
policy that disallows CodeCommit operations if the IP address for the user is not
within a specific block, or you can create an Allow policy that
allows CodeCommit operations if the IP address for the user is within a specific
block.
You can create a Deny policy that denies access to all users
who are not within a certain IP range. For example, you could attach the
AWSCodeCommitPowerUser managed policy and a customer-managed policy to all users
who require access to your repository. The following example policy denies
all CodeCommit permissions to users whose IP addresses are not within the
specified IP address block of 203.0.113.0/16:
The following example policy allows the specified user to access a CodeCommit repository named MyDemoRepo with the equivalent permissions of the AWSCodeCommitPowerUser managed policy only if their IP address is within the specified address block of 203.0.113.0/16:
Example 4: Deny or allow actions on branches
You can create a policy that denies users permissions to actions you specify on one or more branches. Alternatively, you can create a policy that allows actions on one or more branches that they might not otherwise have in other branches of a repository. You can use these policies with the appropriate managed (predefined) policies. For more information, see Limit pushes and merges to branches in Amazon CodeCommit.
For example, you can create a Deny policy that denies users
the ability to make changes to a branch named main, including deleting that
branch, in a repository named
MyDemoRepo. You can use this policy
with the AWSCodeCommitPowerUser managed policy. Users with
these two policies applied would be able to create and delete branches,
create pull requests, and all other actions as allowed by
AWSCodeCommitPowerUser, but they would not be able to
push changes to the branch named main,
add or edit a file in the main branch in
the CodeCommit console, or merge branches or a pull request into the main branch. Because Deny is
applied to GitPush, you must include a Null
statement in the policy, to allow initial GitPush calls to be
analyzed for validity when users make pushes from their local repos.
Tip
If you want to create a policy that applies to all branches named
main in all repositories in your
Amazon Web Services account, for Resource, specify an asterisk (
* ) instead of a repository ARN.
The following example policy allows a user to make changes to a branch
named main in all repositories in an Amazon Web Services account. It does not allow
changes to any other branches. You might use this policy with the
AWSCodeCommitReadOnly managed policy to allow automated pushes to the
repository in the main branch. Because the Effect is Allow,
this example policy would not work with managed policies such as
AWSCodeCommitPowerUser.
Example 5: Deny or allow actions on repositories with tags
You can create a policy that allows or denies actions on repositories
based on the Amazon tags associated with those repositories, and then apply
those policies to the IAM groups you configure for managing IAM users.
For example, you can create a policy that denies all CodeCommit actions on any
repositories with the Amazon tag key Status and the key value of Secret, and then apply that policy to the IAM group you
created for general developers (Developers). You
then need to make sure that the developers working on those tagged
repositories are not members of that general
Developers group, but belong instead to a
different IAM group that does not have the restrictive policy applied
(SecretDevelopers).
The following example denies all CodeCommit actions on repositories tagged with the key Status and the key value of Secret:
You can further refine this strategy by specifying specific repositories, rather than all repositories, as resources. You can also create policies that allow CodeCommit actions on all repositories that are not tagged with specific tags. For example, the following policy allows the equivalent of AWSCodeCommitPowerUser permissions for CodeCommit actions, except that it only allows CodeCommit actions on repositories not tagged with the specified tags:
Note
This policy example only includes actions for CodeCommit. It does not include actions for other Amazon services that are included in the AWSCodeCommitPowerUser managed policy. For more information, see .Amazon managed policy: AWSCodeCommitPowerUser.