AWS codepipeline documentation change
Summary
Added 'Service role permissions: CodeConnections action' section with required IAM policy for CodeConnections
Security assessment
Provides security documentation about required permissions for third-party connections without addressing a specific security issue
Diff
diff --git a/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.md b/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.md index b71aa8d4d..7d096cafc 100644 --- a/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.md +++ b/codepipeline/latest/userguide/action-reference-CodestarConnectionSource.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declarationInstalling the installation app and creating a connectionSee also +Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: CodeConnections actionAction declarationInstalling the installation app and creating a connectionSee also @@ -99,0 +100,2 @@ Even if the Region is not enabled, third-party providers can still share your da + * Service role permissions: CodeConnections action + @@ -241,0 +244,15 @@ The name of the repository where the commit that triggered the pipeline was made +## Service role permissions: CodeConnections action + +For CodeConnections, the following permission is required to create pipelines with a source that uses a connection, such as Bitbucket Cloud. + + + { + "Effect": "Allow", + "Action": [ + "codeconnections:UseConnection" + ], + "Resource": "resource_ARN" + }, + +For more information about the IAM permissions for connections, see [Connections permissions reference](https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections). +