How to do it...

Let's get started with that, and perform the following operations:

  1. First of all, let's create a custom policy where we will give the restriction definition.
  2. Go to IAM Console and click on the Policies section. Then, click on Create Policy:
  3. Click on Create Your Own Policy:
  1. You will be redirected to another page where you have to fill in the Policy Name, a description of the policy, and a policy document. The policy document will be the definition, where we will mention the resources and actions:
  1. Insert the following policy definition (x60xxxxxxx39 will be basically your account ID):
    {
     "Version": "2012-10-17",
     "Statement": [
     {
     "Effect": "Allow",
     "Action": [
     "codecommit:GitPull",
     "codecommit:GitPush"
     ],
     "Resource": "arn:aws:codecommit:us-east-1:x60xxxxxxx39:HelloWorld"
     }
     ]
     }
  1. Click on Create Policy; then we will have our own custom policy:
  2. Now, let's remove the AWSCodeCommitPowerUser access from the IAM user that we created to clone the repository by clicking on x:
  1. Click on Add permissionsafter that click on Attach Existing Policies Directly and search for Policy name in filter, check that, and save it:

  1. We will have a user with only our custom policy, which means the user will only have access to the HelloWorld repository and only two actions, git push and git clone:
    awsstar@awsstar:~$ aws codecommit list-repositories
    An error occurred (AccessDeniedException) when calling the     ListRepositories operation: User:     arn:aws:iam::16xxxxxx139:user/awsccuser is not authorized to perform:     codecommit:ListRepositories

The preceding command output shows AccessDeniedException, that is, awsccuser is not authorized to perform codecommit:ListRepositories. The reason for this is we have given access to only two operations or actions: git push and git clone.

上一章目录下一章