CodePipeline permissions reference - AWS CodePipeline (original) (raw)
Use the following table as a reference when you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies). The table lists each CodePipeline API operation and the corresponding actions for which you can grant permissions to perform the action. For operations that support resource-level permissions, the table lists the AWS resource for which you can grant the permissions. You specify the actions in the policy's Action field.
Resource-level permissions are those that allow you to specify which resources users are allowed to perform actions on. AWS CodePipeline provides partial support for resource-level permissions. This means that for some AWS CodePipeline API calls, you can control when users are allowed to use those actions based on conditions that must be met, or which resources users are allowed to use. For example, you can grant users permission to list pipeline execution information, but only for a specific pipeline or pipelines.
Note
The Resources column lists the resource required for API calls that support resource-level permissions. For API calls that do not support resource-level permissions, you can grant users permission to use it, but you have to specify a wildcard (*) for the resource element of your policy statement.
CodePipeline API Operations and required permissions for actions
| CodePipeline API operations | Required permissions (API actions) | Resources |
|---|---|---|
| AcknowledgeJob | codepipeline:AcknowledgeJob Required to view information about a specified job and whether that job has been received by the job worker. Used for custom actions only. | Supports only a wildcard (*) in the policy Resource element. |
| AcknowledgeThirdPartyJob | codepipeline:AcknowledgeThirdPartyJob Required to confirm a job worker has received the specified job. Used for partner actions only. | Supports only a wildcard (*) in the policy Resource element. |
| CreateCustomActionType | codepipeline:CreateCustomActionType Required to create a custom action that can be used in all pipelines associated with the AWS account. Used for custom actions only. | Action Type arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version |
| CreatePipeline | codepipeline:CreatePipeline Required to create a pipeline. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| DeleteCustomActionType | codepipeline:DeleteCustomActionType Required to mark a custom action as deleted.PollForJobs for the custom action fails after the action is marked for deletion. Used for custom actions only. | Action Type arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version |
| DeletePipeline | codepipeline:DeletePipeline Required to delete a pipeline. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| DeleteWebhook | codepipeline:DeleteWebhook Required to delete a webhook. | Webhook arn:aws:codepipeline:region:account:webhook:webhook-name |
| DeregisterWebhookWithThirdParty | codepipeline:DeregisterWebhookWithThirdParty Before a webhook is deleted, required to remove the connection between the webhook that was created by CodePipeline and the external tool with events to be detected. Currently supported only for webhooks that target an action type of GitHub. | Webhook arn:aws:codepipeline:region:account:webhook:webhook-name |
| DisableStageTransition | codepipeline:DisableStageTransition Required to prevent artifacts in a pipeline from transitioning to the next stage in the pipeline. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| EnableStageTransition | codepipeline:EnableStageTransition Required to enable artifacts in a pipeline to transition to a stage in a pipeline. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| GetJobDetails | codepipeline:GetJobDetails Required to retrieve information about a job. Used for custom actions only. | No resource required. |
| GetPipeline | codepipeline:GetPipeline Required to retrieve the structure, stages, actions, and metadata of a pipeline, including the pipeline ARN. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| GetPipelineExecution | codepipeline:GetPipelineExecution Required to retrieve information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| GetPipelineState | codepipeline:GetPipelineState Required to retrieve information about the state of a pipeline, including the stages and actions. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| GetThirdPartyJobDetails | codepipeline:GetThirdPartyJobDetails Required to request the details of a job for a third-party action. Used for partner actions only. | Supports only a wildcard (*) in the policy Resource element. |
| ListActionExecutions | codepipeline:ListActionExecutions Required to generate a summary of all executions for an action. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| ListActionTypes | codepipeline:ListActionTypes Required to generate a summary of all CodePipeline action types associated with your account. | Supports only a wildcard (*) in the policy Resource element. |
| ListPipelineExecutions | codepipeline:ListPipelineExecutions Required to generate a summary of the most recent executions for a pipeline. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| ListPipelines | codepipeline:ListPipelines Required to generate a summary of all of the pipelines associated with your account. | Pipeline ARN with wildcard (resource-level permissions at the pipeline name level are not supported) arn:aws:codepipeline:region:account:* |
| ListTagsForResource | codepipeline:ListTagsForResource Required to list tags for a specified resource. Resources are optional. | Action Type arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version |
| Pipeline arn:aws:codepipeline:region:account:pipeline-name | ||
| Webhook arn:aws:codepipeline:region:account:webhook:webhook-name | ||
| ListWebhooks | codepipeline:ListWebhooks Required to list all of the webhooks in the account for that Region. | Webhook arn:aws:codepipeline:region:account:webhook:webhook-name |
| PollForJobs | codepipeline:PollForJobs Required to get a listing of all of the webhooks in this Region for this account. | Action Type arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version |
| PollForThirdPartyJobs | codepipeline:PollForThirdPartyJobs Required to determine whether there are any third-party jobs for a job worker to act on. Used for partner actions only. | Supports only a wildcard (*) in the policy Resource element. |
| PutActionRevision | codepipeline:PutActionRevision Required to report information to CodePipeline about new revisions to a source | Action arn:aws:codepipeline:region:account:pipeline-name/stage-name/action-name |
| PutApprovalResult | codepipeline:PutApprovalResult Required to report the response to a manual approval request to CodePipeline. Valid responses are Approved andRejected. | Action arn:aws:codepipeline:region:account:pipeline-name/stage-name/action-name NoteThis API call supports resource-level permissions. However, you might encounter an error if you use the IAM console or Policy Generator to create policies with"codepipeline:PutApprovalResult" that specify a resource ARN. If you encounter an error, you can use theJSON tab in the IAM console or the CLI to create a policy. |
| PutJobFailureResult | codepipeline:PutJobFailureResult Required to report the failure of a job as returned to the pipeline by a job worker. Used for custom actions only. | Supports only a wildcard (*) in the policy Resource element. |
| PutJobSuccessResult | codepipeline:PutJobSuccessResult Required to report the success of a job as returned to the pipeline by a job worker. Used for custom actions only. | Supports only a wildcard (*) in the policy Resource element. |
| PutThirdPartyJobFailureResult | codepipeline:PutThirdPartyJobFailureResult Required to report the failure of a third-party job as returned to the pipeline by a job worker. Used for partner actions only. | Supports only a wildcard (*) in the policy Resource element. |
| PutThirdPartyJobSuccessResult | codepipeline:PutThirdPartyJobSuccessResult Required to report the success of a third-party job as returned to the pipeline by a job worker. Used for partner actions only. | Supports only a wildcard (*) in the policy Resource element. |
| PutWebhook | codepipeline:PutWebhook Required to create a webhook. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| Webhook arn:aws:codepipeline:region:account:webhook:webhook-name | ||
| RegisterWebhookWithThirdParty | codepipeline:RegisterWebhookWithThirdParty After a webhook is created, required to configure supported third parties to call the generated webhook URL. | Webhook arn:aws:codepipeline:region:account:webhook:webhook-name |
| RetryStageExecution | codepipeline:RetryStageExecution Required to resume the pipeline execution by retrying the last failed actions in a stage. | Pipeline arn:aws:codepipeline:region:account:pipeline-name/stage-name |
| StartPipelineExecution | codepipeline:StartPipelineExecution Required to start the specified pipeline (specifically, to start processing the latest commit to the source location specified as part of the pipeline). | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| StopPipelineExecution | codepipeline:StopPipelineExecution Required to stop the specified pipeline execution. You choose to either stop the pipeline execution by completing in-progress actions without starting subsequent actions, or by abandoning in-progress actions. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |
| TagResource | codepipeline:TagResource Required to tag the specified resource. Resources are optional. | Action Type arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version |
| Pipeline arn:aws:codepipeline:region:account:pipeline-name | ||
| Webhook arn:aws:codepipeline:region:account:webhook:webhook-name | ||
| UntagResource | codepipeline:UntagResource Required to untag the specified resource. Resources are optional. | Action Type arn:aws:codepipeline:region:account:actiontype:owner/category/provider/version |
| Pipeline arn:aws:codepipeline:region:account:pipeline-name | ||
| Webhook arn:aws:codepipeline:region:account:webhook:webhook-name | ||
| UpdatePipeline | codepipeline:UpdatePipeline Required to update a specified pipeline with edits or changes to its structure. | Pipeline arn:aws:codepipeline:region:account:pipeline-name |