AWS codepipeline documentation change
Summary
Added 'Service role permissions: CodeCommit action' section with required IAM policy for CodeCommit access
Security assessment
Adds documentation about required IAM permissions for secure access to CodeCommit resources, but does not indicate a specific security vulnerability being addressed
Diff
diff --git a/codepipeline/latest/userguide/action-reference-CodeCommit.md b/codepipeline/latest/userguide/action-reference-CodeCommit.md index 57c2f2c8b..ba472374b 100644 --- a/codepipeline/latest/userguide/action-reference-CodeCommit.md +++ b/codepipeline/latest/userguide/action-reference-CodeCommit.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesExample action configurationSee also +Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: CodeCommit actionExample action configurationSee also @@ -41,0 +42,2 @@ Currently, the Git URL reference can only be used by downstream CodeBuild action + * Service role permissions: CodeCommit action + @@ -168,0 +171,25 @@ The date when the commit was committed, in timestamp format. +## Service role permissions: CodeCommit action + +When CodePipeline runs the action, the CodePipeline service role policy requires the following permissions, appropriately scoped down to the pipeline resource ARN in order to maintain access with least privilege. For example, add the following to your policy statement: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "codecommit:CancelUploadArchive", + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:GetRepository", + "codecommit:GetUploadArchiveStatus", + "codecommit:UploadArchive" + ], + "Resource": [ + "arn:aws:codecommit:*:{{customerAccountId}}:[[codecommitRepostories]]" + ] + } + ] + } +