View a markdown version of this page

Actions, resources, and condition keys for Amazon CodePipeline - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon CodePipeline

Amazon CodePipeline (service prefix: codepipeline) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon CodePipeline

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AcknowledgeJob

codepipeline:AcknowledgeJob

Write

AcknowledgeThirdPartyJob

codepipeline:AcknowledgeThirdPartyJob

Write

CreateCustomActionType

codepipeline:CreateCustomActionType

Write

codepipeline:TagResource

Tagging, Write

CreatePipeline

codepipeline:CreatePipeline

Write

codepipeline:TagResource

Tagging, Write

codestar-connections:PassConnection

Read

iam:PassRole

iam:PassedToService

cloudformation.amazonaws.com, codepipeline.amazonaws.com

Write

DeleteCustomActionType

codepipeline:DeleteCustomActionType

Write

DeletePipeline

codepipeline:DeletePipeline

Write

DeleteWebhook

codepipeline:DeleteWebhook

Write

DeregisterWebhookWithThirdParty

codepipeline:DeregisterWebhookWithThirdParty

Write

DisableStageTransition

codepipeline:DisableStageTransition

Write

EnableStageTransition

codepipeline:EnableStageTransition

Write

GetActionType

codepipeline:GetActionType

Read

GetJobDetails

codepipeline:GetJobDetails

Read

GetPipeline

codepipeline:GetPipeline

Read

GetPipelineExecution

codepipeline:GetPipelineExecution

Read

GetPipelineState

codepipeline:GetPipelineState

Read

GetThirdPartyJobDetails

codepipeline:GetThirdPartyJobDetails

Read

ListActionExecutions

codepipeline:ListActionExecutions

Read

ListActionTypes

codepipeline:ListActionTypes

Read

ListDeployActionExecutionTargets

codepipeline:ListDeployActionExecutionTargets

Read

ListPipelineExecutions

codepipeline:ListPipelineExecutions

List

ListPipelines

codepipeline:ListPipelines

List

ListRuleExecutions

codepipeline:ListRuleExecutions

Read

ListRuleTypes

codepipeline:ListRuleTypes

Read

ListTagsForResource

codepipeline:ListTagsForResource

Read

ListWebhooks

codepipeline:ListWebhooks

List

OverrideStageCondition

codepipeline:OverrideStageCondition

Write

PollForJobs

codepipeline:PollForJobs

Write

PollForThirdPartyJobs

codepipeline:PollForThirdPartyJobs

Write

PutActionRevision

codepipeline:PutActionRevision

Write

PutApprovalResult

codepipeline:PutApprovalResult

Write

PutJobFailureResult

codepipeline:PutJobFailureResult

Write

PutJobSuccessResult

codepipeline:PutJobSuccessResult

Write

PutThirdPartyJobFailureResult

codepipeline:PutThirdPartyJobFailureResult

Write

PutThirdPartyJobSuccessResult

codepipeline:PutThirdPartyJobSuccessResult

Write

PutWebhook

codepipeline:PutWebhook

Write

codepipeline:TagResource

Tagging, Write

codepipeline:UntagResource

Tagging, Write

RegisterWebhookWithThirdParty

codepipeline:RegisterWebhookWithThirdParty

Write

RetryStageExecution

codepipeline:RetryStageExecution

Write

RollbackStage

codepipeline:RollbackStage

Write

StartPipelineExecution

codepipeline:StartPipelineExecution

Write

StopPipelineExecution

codepipeline:StopPipelineExecution

Write

TagResource

codepipeline:TagResource

Tagging, Write

UntagResource

codepipeline:UntagResource

Tagging, Write

UpdateActionType

codepipeline:UpdateActionType

Write

UpdatePipeline

codepipeline:UpdatePipeline

Write

codestar-connections:PassConnection

Read

iam:PassRole

iam:PassedToService

cloudformation.amazonaws.com, codepipeline.amazonaws.com

Write

Actions defined by Amazon CodePipeline

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AcknowledgeJob

Grants permission to view information about a specified job and whether that job has been received by the job worker

Write

AcknowledgeThirdPartyJob

Grants permission to confirm that a job worker has received the specified job (partner actions only)

Write

CreateCustomActionType

Grants permission to create a custom action that you can use in the pipelines associated with your Amazon Web Services account

actiontype*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreatePipeline

Grants permission to create a uniquely named pipeline

pipeline*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteCustomActionType

Grants permission to delete a custom action

actiontype*

aws:ResourceTag/${TagKey}

Write

DeletePipeline

Grants permission to delete a specified pipeline

pipeline*

aws:ResourceTag/${TagKey}

Write

DeleteWebhook

Grants permission to delete a specified webhook

webhook*

aws:ResourceTag/${TagKey}

Write

DeregisterWebhookWithThirdParty

Grants permission to remove the registration of a webhook with the third party specified in its configuration

webhook*

aws:ResourceTag/${TagKey}

Write

DisableStageTransition

Grants permission to prevent revisions from transitioning to the next stage in a pipeline

stage*

aws:ResourceTag/${TagKey}

Write

EnableStageTransition

Grants permission to allow revisions to transition to the next stage in a pipeline

stage*

aws:ResourceTag/${TagKey}

Write

GetActionType

Grants permission to view information about an action type

Read

GetJobDetails

Grants permission to view information about a job (custom actions only)

Read

GetPipeline

Grants permission to retrieve information about a pipeline structure

pipeline*

aws:ResourceTag/${TagKey}

Read

GetPipelineExecution

Grants permission to view information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline

pipeline*

aws:ResourceTag/${TagKey}

Read

GetPipelineState

Grants permission to view information about the current state of the stages and actions of a pipeline

pipeline*

aws:ResourceTag/${TagKey}

Read

GetThirdPartyJobDetails

Grants permission to view the details of a job for a third-party action (partner actions only)

Read

ListActionExecutions

Grants permission to list the action executions that have occurred in a pipeline

pipeline*

aws:ResourceTag/${TagKey}

Read

ListActionTypes

Grants permission to list a summary of all the action types available for pipelines in your account

Read

ListDeployActionExecutionTargets

Grants permission to list the deployment details for deploy action executions that have occurred in a pipeline

pipeline*

aws:ResourceTag/${TagKey}

Read

ListPipelineExecutions

Grants permission to list a summary of the most recent executions for a pipeline

pipeline*

aws:ResourceTag/${TagKey}

List

ListPipelines

Grants permission to list a summary of all the pipelines associated with your Amazon Web Services account

List

ListRuleExecutions

Grants permission to list the rule executions that have occurred in a pipeline

pipeline*

aws:ResourceTag/${TagKey}

Read

ListRuleTypes

Grants permission to list a summary of all the rule types available for pipelines in your account

Read

ListTagsForResource

Grants permission to list tags for a CodePipeline resource

actiontype

aws:ResourceTag/${TagKey}

Read

pipeline

aws:ResourceTag/${TagKey}

webhook

aws:ResourceTag/${TagKey}

ListWebhooks

Grants permission to list all of the webhooks associated with your Amazon Web Services account

webhook*

aws:ResourceTag/${TagKey}

List

OverrideStageCondition

Grants permission to resume the pipeline execution by overriding a condition in a stage

stage*

aws:ResourceTag/${TagKey}

Write

PollForJobs

Grants permission to view information about any jobs for CodePipeline to act on

actiontype*

aws:ResourceTag/${TagKey}

Write

PollForThirdPartyJobs

Grants permission to determine whether there are any third-party jobs for a job worker to act on (partner actions only)

Write

PutActionRevision

Grants permission to edit actions in a pipeline

action*

aws:ResourceTag/${TagKey}

Write

PutApprovalResult

Grants permission to provide a response (Approved or Rejected) to a manual approval request in CodePipeline

action*

aws:ResourceTag/${TagKey}

Write

PutJobFailureResult

Grants permission to represent the failure of a job as returned to the pipeline by a job worker (custom actions only)

Write

PutJobSuccessResult

Grants permission to represent the success of a job as returned to the pipeline by a job worker (custom actions only)

Write

PutThirdPartyJobFailureResult

Grants permission to represent the failure of a third-party job as returned to the pipeline by a job worker (partner actions only)

Write

PutThirdPartyJobSuccessResult

Grants permission to represent the success of a third-party job as returned to the pipeline by a job worker (partner actions only)

Write

PutWebhook

Grants permission to create or update a webhook

pipeline*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

webhook*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

RegisterWebhookWithThirdParty

Grants permission to register a webhook with the third party specified in its configuration

webhook*

aws:ResourceTag/${TagKey}

Write

RetryStageExecution

Grants permission to resume the pipeline execution by retrying the last failed actions in a stage

stage*

aws:ResourceTag/${TagKey}

Write

RollbackStage

Grants permission to rollback the stage to a previous successful execution

stage*

aws:ResourceTag/${TagKey}

Write

StartPipelineExecution

Grants permission to run the most recent revision through the pipeline

pipeline*

aws:ResourceTag/${TagKey}

Write

StopPipelineExecution

Grants permission to stop an in-progress pipeline execution

pipeline*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag a CodePipeline resource

actiontype

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

pipeline

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

webhook

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove a tag from a CodePipeline resource

actiontype

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

pipeline

aws:ResourceTag/${TagKey}

aws:TagKeys

webhook

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateActionType

Grants permission to update an action type

actiontype*

aws:ResourceTag/${TagKey}

Write

UpdatePipeline

Grants permission to update a pipeline with changes to the structure of the pipeline

pipeline*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon CodePipeline

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

action

arn:${Partition}:codepipeline:${Region}:${Account}:${PipelineName}/${StageName}/${ActionName}

aws:ResourceTag/${TagKey}

actiontype

arn:${Partition}:codepipeline:${Region}:${Account}:actiontype:${Owner}/${Category}/${Provider}/${Version}

aws:ResourceTag/${TagKey}

pipeline

arn:${Partition}:codepipeline:${Region}:${Account}:${PipelineName}

aws:ResourceTag/${TagKey}

stage

arn:${Partition}:codepipeline:${Region}:${Account}:${PipelineName}/${StageName}

aws:ResourceTag/${TagKey}

webhook

arn:${Partition}:codepipeline:${Region}:${Account}:webhook:${WebhookName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon CodePipeline

Amazon CodePipeline defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters actions based on the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters actions based on tag key-value pairs attached to the resource

String

aws:TagKeys

Filters actions based on the presence of tag keys in the request

ArrayOfString