Actions, resources, and condition keys for AWS CodeCommit - Service Authorization Reference

Actions, resources, and condition keys for AWS CodeCommit

AWS CodeCommit (service prefix: codecommit) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS CodeCommit

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssociateApprovalRuleTemplateWithRepository Grants permission to associate an approval rule template with a repository Write

repository*

BatchAssociateApprovalRuleTemplateWithRepositories Grants permission to associate an approval rule template with multiple repositories in a single operation Write

repository*

BatchDescribeMergeConflicts Grants permission to get information about multiple merge conflicts when attempting to merge two commits using either the three-way merge or the squash merge option Read

repository*

BatchDisassociateApprovalRuleTemplateFromRepositories Grants permission to remove the association between an approval rule template and multiple repositories in a single operation Write

repository*

BatchGetCommits Grants permission to return information about one or more commits in an AWS CodeCommit repository Read

repository*

BatchGetPullRequests [permission only] Grants permission to return information about one or more pull requests in an AWS CodeCommit repository Read

repository*

BatchGetRepositories Grants permission to get information about multiple repositories Read

repository*

CancelUploadArchive [permission only] Grants permission to cancel the uploading of an archive to a pipeline in AWS CodePipeline Read

repository*

CreateApprovalRuleTemplate Grants permission to create an approval rule template that will automatically create approval rules in pull requests that match the conditions defined in the template; does not grant permission to create approval rules for individual pull requests Write
CreateBranch Grants permission to create a branch in an AWS CodeCommit repository with this API; does not control Git create branch actions Write

repository*

codecommit:References

CreateCommit Grants permission to add, copy, move or update single or multiple files in a branch in an AWS CodeCommit repository, and generate a commit for the changes in the specified branch Write

repository*

codecommit:References

CreatePullRequest Grants permission to create a pull request in the specified repository Write

repository*

CreatePullRequestApprovalRule Grants permission to create an approval rule specific to an individual pull request; does not grant permission to create approval rule templates Write

repository*

CreateRepository Grants permission to create an AWS CodeCommit repository Write

repository*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUnreferencedMergeCommit Grants permission to create an unreferenced commit that contains the result of merging two commits using either the three-way or the squash merge option; does not control Git merge actions Write

repository*

codecommit:References

DeleteApprovalRuleTemplate Grants permission to delete an approval rule template Write
DeleteBranch Grants permission to delete a branch in an AWS CodeCommit repository with this API; does not control Git delete branch actions Write

repository*

codecommit:References

DeleteCommentContent Grants permission to delete the content of a comment made on a change, file, or commit in a repository Write

repository*

DeleteFile Grants permission to delete a specified file from a specified branch Write

repository*

codecommit:References

DeletePullRequestApprovalRule Grants permission to delete approval rule created for a pull request if the rule was not created by an approval rule template Write

repository*

DeleteRepository Grants permission to delete an AWS CodeCommit repository Write

repository*

DescribeMergeConflicts Grants permission to get information about specific merge conflicts when attempting to merge two commits using either the three-way or the squash merge option Read

repository*

DescribePullRequestEvents Grants permission to return information about one or more pull request events Read

repository*

DisassociateApprovalRuleTemplateFromRepository Grants permission to remove the association between an approval rule template and a repository Write

repository*

EvaluatePullRequestApprovalRules Grants permission to evaluate whether a pull request is mergable based on its current approval state and approval rule requirements Read

repository*

GetApprovalRuleTemplate Grants permission to return information about an approval rule template Read
GetBlob Grants permission to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console Read

repository*

GetBranch Grants permission to get details about a branch in an AWS CodeCommit repository with this API; does not control Git branch actions Read

repository*

GetComment Grants permission to get the content of a comment made on a change, file, or commit in a repository Read

repository*

GetCommentReactions Grants permission to get the reactions on a comment Read

repository*

GetCommentsForComparedCommit Grants permission to get information about comments made on the comparison between two commits Read

repository*

GetCommentsForPullRequest Grants permission to get comments made on a pull request Read

repository*

GetCommit Grants permission to return information about a commit, including commit message and committer information, with this API; does not control Git log actions Read

repository*

GetCommitHistory [permission only] Grants permission to get information about the history of commits in a repository Read

repository*

GetCommitsFromMergeBase [permission only] Grants permission to get information about the difference between commits in the context of a potential merge Read

repository*

GetDifferences Grants permission to view information about the differences between valid commit specifiers such as a branch, tag, HEAD, commit ID, or other fully qualified reference Read

repository*

GetFile Grants permission to return the base-64 encoded contents of a specified file and its metadata Read

repository*

GetFolder Grants permission to return the contents of a specified folder in a repository Read

repository*

GetMergeCommit Grants permission to get information about a merge commit created by one of the merge options for pull requests that creates merge commits. Not all merge options create merge commits. This permission does not control Git merge actions Read

repository*

codecommit:References

GetMergeConflicts Grants permission to get information about merge conflicts between the before and after commit IDs for a pull request in a repository Read

repository*

GetMergeOptions Grants permission to get information about merge options for pull requests that can be used to merge two commits; does not control Git merge actions Read

repository*

GetObjectIdentifier [permission only] Grants permission to resolve blobs, trees, and commits to their identifier Read

repository*

GetPullRequest Grants permission to get information about a pull request in a specified repository Read

repository*

GetPullRequestApprovalStates Grants permission to retrieve the current approvals on an inputted pull request Read

repository*

GetPullRequestOverrideState Grants permission to retrieve the current override state of a given pull request Read

repository*

GetReferences [permission only] Grants permission to get details about references in an AWS CodeCommit repository; does not control Git reference actions Read

repository*

GetRepository Grants permission to get information about an AWS CodeCommit repository Read

repository*

GetRepositoryTriggers Grants permission to get information about triggers configured for a repository Read

repository*

GetTree [permission only] Grants permission to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console Read

repository*

GetUploadArchiveStatus [permission only] Grants permission to get status information about an archive upload to a pipeline in AWS CodePipeline Read

repository*

GitPull [permission only] Grants permission to pull information from an AWS CodeCommit repository to a local repo Read

repository*

GitPush [permission only] Grants permission to push information from a local repo to an AWS CodeCommit repository Write

repository*

codecommit:References

ListApprovalRuleTemplates Grants permission to list all approval rule templates in an AWS Region for the AWS account List
ListAssociatedApprovalRuleTemplatesForRepository Grants permission to list approval rule templates that are associated with a repository List

repository*

ListBranches Grants permission to list branches for an AWS CodeCommit repository with this API; does not control Git branch actions List

repository*

ListFileCommitHistory Grants permission to list commits and changes to a specified file List

repository*

ListPullRequests Grants permission to list pull requests for a specified repository List

repository*

ListRepositories Grants permission to list information about AWS CodeCommit repositories in the current Region for your AWS account List
ListRepositoriesForApprovalRuleTemplate Grants permission to list repositories that are associated with an approval rule template List
ListTagsForResource Grants permission to list the resource attached to a CodeCommit resource ARN List

repository

MergeBranchesByFastForward Grants permission to merge two commits into the specified destination branch using the fast-forward merge option Write

repository*

codecommit:References

MergeBranchesBySquash Grants permission to merge two commits into the specified destination branch using the squash merge option Write

repository*

codecommit:References

MergeBranchesByThreeWay Grants permission to merge two commits into the specified destination branch using the three-way merge option Write

repository*

codecommit:References

MergePullRequestByFastForward Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the fast-forward merge option Write

repository*

codecommit:References

MergePullRequestBySquash Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the squash merge option Write

repository*

codecommit:References

MergePullRequestByThreeWay Grants permission to close a pull request and attempt to merge it into the specified destination branch for that pull request at the specified commit using the three-way merge option Write

repository*

codecommit:References

OverridePullRequestApprovalRules Grants permission to override all approval rules for a pull request, including approval rules created by a template Write

repository*

PostCommentForComparedCommit Grants permission to post a comment on the comparison between two commits Write

repository*

PostCommentForPullRequest Grants permission to post a comment on a pull request Write

repository*

PostCommentReply Grants permission to post a comment in reply to a comment on a comparison between commits or a pull request Write

repository*

PutCommentReaction Grants permission to post a reaction on a comment Write

repository*

PutFile Grants permission to add or update a file in a branch in an AWS CodeCommit repository, and generate a commit for the addition in the specified branch Write

repository*

codecommit:References

PutRepositoryTriggers Grants permission to create, update, or delete triggers for a repository Write

repository*

TagResource Grants permission to attach resource tags to a CodeCommit resource ARN Tagging

repository

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

TestRepositoryTriggers Grants permission to test the functionality of repository triggers by sending information to the trigger target Write

repository*

UntagResource Grants permission to disassociate resource tags from a CodeCommit resource ARN Tagging

repository

aws:TagKeys

aws:ResourceTag/${TagKey}

UpdateApprovalRuleTemplateContent Grants permission to update the content of approval rule templates; does not grant permission to update content of approval rules created specifically for pull requests Write
UpdateApprovalRuleTemplateDescription Grants permission to update the description of approval rule templates Write
UpdateApprovalRuleTemplateName Grants permission to update the name of approval rule templates Write
UpdateComment Grants permission to update the contents of a comment if the identity matches the identity used to create the comment Write

repository*

UpdateDefaultBranch Grants permission to change the default branch in an AWS CodeCommit repository Write

repository*

UpdatePullRequestApprovalRuleContent Grants permission to update the content for approval rules created for a specific pull requests; does not grant permission to update approval rule content for rules created with an approval rule template Write

repository*

UpdatePullRequestApprovalState Grants permission to update the approval state for pull requests Write

repository*

UpdatePullRequestDescription Grants permission to update the description of a pull request Write

repository*

UpdatePullRequestStatus Grants permission to update the status of a pull request Write

repository*

UpdatePullRequestTitle Grants permission to update the title of a pull request Write

repository*

UpdateRepositoryDescription Grants permission to change the description of an AWS CodeCommit repository Write

repository*

UpdateRepositoryEncryptionKey Grants permission to change the AWS KMS encryption key used to encrypt and decrypt an AWS CodeCommit repository Write

repository*

UpdateRepositoryName Grants permission to change the name of an AWS CodeCommit repository Write

repository*

UploadArchive [permission only] Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline Write

repository*

Resource types defined by AWS CodeCommit

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
repository arn:${Partition}:codecommit:${Region}:${Account}:${RepositoryName}

aws:ResourceTag/${TagKey}

Condition keys for AWS CodeCommit

AWS CodeCommit defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
codecommit:References Filters access by Git reference to specified AWS CodeCommit actions String