View a markdown version of this page

Actions, resources, and condition keys for AWS CodeArtifact - Service Authorization Reference

Actions, resources, and condition keys for AWS CodeArtifact

AWS CodeArtifact (service prefix: codeartifact) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

Actions defined by AWS CodeArtifact

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssociateExternalConnection

Grants permission to add an external connection to a repository

repository*

aws:ResourceTag/${TagKey}

Write

AssociateWithDownstreamRepository

Grants permission to associate an existing repository as an upstream repository to another repository

repository*

aws:ResourceTag/${TagKey}

Write

CopyPackageVersions

Grants permission to copy package versions from one repository to another repository in the same domain

package*

Write

repository*

aws:ResourceTag/${TagKey}

CreateDomain

Grants permission to create a new domain

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreatePackageGroup

Grants permission to create a package group

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateRepository

Grants permission to create a new repository

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteDomain

Grants permission to delete a domain

domain*

aws:ResourceTag/${TagKey}

Write

DeleteDomainPermissionsPolicy

Grants permission to delete the resource policy set on a domain

domain*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeletePackage

Grants permission to delete a package

package*

Write

DeletePackageGroup

Grants permission to delete a package group

package-group*

aws:ResourceTag/${TagKey}

Write

DeletePackageVersions

Grants permission to delete package versions

package*

Write

DeleteRepository

Grants permission to delete a repository

repository*

aws:ResourceTag/${TagKey}

Write

DeleteRepositoryPermissionsPolicy

Grants permission to delete the resource policy set on a repository

repository*

aws:ResourceTag/${TagKey}

Permissions management, Write

DescribeDomain

Grants permission to return information about a domain

domain*

aws:ResourceTag/${TagKey}

Read

DescribePackage

Grants permission to retrieve information about a package

package*

Read

DescribePackageGroup

Grants permission to return detailed information about a package group

package-group*

aws:ResourceTag/${TagKey}

Read

DescribePackageVersion

Grants permission to return information about a package version

package*

Read

DescribeRepository

Grants permission to return detailed information about a repository

repository*

aws:ResourceTag/${TagKey}

Read

DisassociateExternalConnection

Grants permission to disassociate an external connection from a repository

repository*

aws:ResourceTag/${TagKey}

Write

DisposePackageVersions

Grants permission to set the status of package versions to Disposed and delete their assets

package*

Write

GetAssociatedPackageGroup

Grants permission to return a package's associated package group

package-group*

aws:ResourceTag/${TagKey}

Read

GetAuthorizationToken

Grants permission to generate a temporary authentication token for accessing repositories in a domain

domain*

aws:ResourceTag/${TagKey}

Read

GetDomainPermissionsPolicy

Grants permission to return a domain's resource policy

domain*

aws:ResourceTag/${TagKey}

Read

GetPackageVersionAsset

Grants permission to return an asset (or file) that is part of a package version

package*

Read

GetPackageVersionReadme

Grants permission to return a package version's readme file

package*

Read

GetRepositoryEndpoint

Grants permission to return an endpoint for a repository

repository*

aws:ResourceTag/${TagKey}

Read

GetRepositoryPermissionsPolicy

Grants permission to return a repository's resource policy

repository*

aws:ResourceTag/${TagKey}

Read

ListAllowedRepositoriesForGroup

Grants permission to list the allowed repositories for a package group

package-group*

aws:ResourceTag/${TagKey}

List

ListAssociatedPackages

Grants permission to list the packages associated to a package group

package-group*

aws:ResourceTag/${TagKey}

List

ListDomains

Grants permission to list the domains in the current user's AWS account

List

ListPackageGroups

Grants permission to list the package groups in a domain

domain*

aws:ResourceTag/${TagKey}

List

ListPackageVersionAssets

Grants permission to list a package version's assets

package*

List

ListPackageVersionDependencies

Grants permission to list the direct dependencies of a package version

package*

List

ListPackageVersions

Grants permission to list a package's versions

package*

List

ListPackages

Grants permission to list the packages in a repository

repository*

aws:ResourceTag/${TagKey}

List

ListRepositories

Grants permission to list the repositories administered by the calling account

List

ListRepositoriesInDomain

Grants permission to list the repositories in a domain

domain*

aws:ResourceTag/${TagKey}

List

ListSubPackageGroups

Grants permission to list the sub package groups for a parent package group

package-group*

aws:ResourceTag/${TagKey}

List

ListTagsForResource

Grants permission to list tags for a CodeArtifact resource

domain

aws:ResourceTag/${TagKey}

List

package-group

aws:ResourceTag/${TagKey}

repository

aws:ResourceTag/${TagKey}

PublishPackageVersion

Grants permission to publish assets and metadata to a repository endpoint

package*

Write

PutDomainPermissionsPolicy

Grants permission to attach a resource policy to a domain

domain*

aws:ResourceTag/${TagKey}

Write

PutPackageMetadata

Grants permission to add, modify or remove package metadata using a repository endpoint

package*

Write

PutPackageOriginConfiguration

Grants permission to set origin configuration for a package

package*

Write

PutRepositoryPermissionsPolicy

Grants permission to attach a resource policy to a repository

repository*

aws:ResourceTag/${TagKey}

Write

ReadFromRepository

Grants permission to return package assets and metadata from a repository endpoint

repository*

aws:ResourceTag/${TagKey}

Read

TagResource

Grants permission to tag a CodeArtifact resource

domain

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

package-group

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

repository

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove a tag from a CodeArtifact resource

domain

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

package-group

aws:ResourceTag/${TagKey}

aws:TagKeys

repository

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdatePackageGroup

Grants permission to modify the properties of a package group

package-group*

aws:ResourceTag/${TagKey}

Write

UpdatePackageGroupOriginConfiguration

Grants permission to modify the package origin configuration of a package group

package-group*

aws:ResourceTag/${TagKey}

Write

UpdatePackageVersionsStatus

Grants permission to modify the status of one or more versions of a package

package*

Write

UpdateRepository

Grants permission to modify the properties of a repository

repository*

aws:ResourceTag/${TagKey}

Write

Resource types defined by AWS CodeArtifact

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

domain

arn:${Partition}:codeartifact:${Region}:${Account}:domain/${DomainName}

aws:ResourceTag/${TagKey}

package

arn:${Partition}:codeartifact:${Region}:${Account}:package/${DomainName}/${RepositoryName}/${PackageFormat}/${PackageNamespace}/${PackageName}

package-group

arn:${Partition}:codeartifact:${Region}:${Account}:package-group/${DomainName}${EncodedPackageGroupPattern}

aws:ResourceTag/${TagKey}

repository

arn:${Partition}:codeartifact:${Region}:${Account}:repository/${DomainName}/${RepositoryName}

aws:ResourceTag/${TagKey}

Condition keys for AWS CodeArtifact

AWS CodeArtifact defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString