DEV Community

Cover image for Regulate Amazon CodeCommit Branche's Branching Permissions
Sarvar for AWS Community Builders

Posted on

Regulate Amazon CodeCommit Branche's Branching Permissions

Hello There!!!
Called Sarvar, I am an Enterprise Architect, Currently working at Deloitte. With years of experience working on cutting-edge technologies, I have honed my expertise in Cloud Operations (Azure and AWS), Data Operations, Data Analytics, and DevOps. Throughout my career, I’ve worked with clients from all around the world, delivering excellent results, and going above and beyond expectations. I am passionate about learning the latest and treading technologies.

Hope everyone is doing good. Since we have seen the comprehensive information on Amazon Codecommit branching in my previous article, I assume you have read that article and understand how the AWS Codecommit Branching Strategy operates. If not, don’t worry — I’ve included a link to the document directly below this paragraph, and I strongly advise you to read it. So let’s speak about what we looked into for this article. Today, we’ll explore how to give certain users or user groups permission to access particular codecommit branches. I’ll show you IAM Policies which help us to grant certain permissions to the user and user group so they can push changes to the codecommit repository. This comprehensive access-related article will show us how to use IAM Policies to set an access policies to amazon codecommit branches. Lets Explore….

Link: Git Branching Strategy for AWS Codecommit

Amazon CodeCommit Access Levels:
Here, we’ll check who has access to which branch and we will configure our IAM Policy accordingly. This is a basic approach that may vary depending on your organization or from organization to organization. It provides a high-level overview to help you understand which users will have access to which branches and why. Remember that the admin group will always have read-only access to the main branch and read-write access to all other branches.

There are the five most popular branch we will talk about:

1. Main Branch:
Usually, the master branch is only directly accessible to CI/CD processes or authorized persons. Ideally, only stable, production-ready code should be in this branch.

Allowed Only: To Leads and Admin

2. Hotfix Branch:
When there are serious issues in production, the hotfix branch is produced from main as needed, and it is merged into main and live production after it is complete to make sure the update is applied to the development, pre-production, and production branches.

Allowed Only: To Leads and Admin

3. Development Branch
For continuous development effort, the integrate branch is the develop branch. Developers typically have access to this branch while they are working on features or problem fixes.

Allowed Only: To Developer, Leads and Admin

4. Feature Branch:
For added features or improvements, feature branches are made. Developers can access their feature branch when they are working on a particular feature. On feature branches, access restriction can be more lax, enabling developers to work together freely on their individual features.

Allowed Only: To Developer, Leads and Admin

5. Release Branch
To be ready for a new release, release branches are made. Usually, only release leads or other people in charge of the release process have access to release branches. Upon creation, a release branch is typically frozen and restricted to bug fixes only.

Allowed Only: To Leads and Admin

Grant Access to the Branch Based on Above Discussion:

We are going to see three different user groups gaining access to the codecommit repository. We will see the IAM policies for the Leads Group, Admin Group, and Developers Group.

1. Developers Group IAM Policy:

Part 1: Basic Read Access
CodeCommit resources are accessible through read-only access under the IAM policy’s first section. These rights enable users to carry out tasks include listing resources, describing repositories, batch operations, fetching metadata, and learning about branches. Without any repository restrictions, this area permits broad read access to all CodeCommit resources.

Part 2: Operations Specific to Repositories
The IAM policy expands rights to particular operations inside a chosen CodeCommit repository in the second section. These rights allow users to do the following: create and remove files, add and remove tags from resources, assess pull request approval guidelines, merge branches, insert and post files, test functionality, edit repository details, and execute Git pulls and pushes. Users can carry out a variety of repository administration and version control operations with this set of actions, which are specific to a given repository that can be recognized by its ARN.

Part 3: Managed Branch Activities
Restrictions on a few crucial operations inside the designated CodeCommit repository are introduced in the third section. Under some circumstances, users are banned from merging branches, adding files, pushing to Git, and deleting branches. This set of requirements only applies when working with branches other than those that are specifically listed, such ‘Branch-Name.’ The purpose of this section is to limit and regulate high-impact operations, making sure they are only permitted in certain situations for improved branch administration and security.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "codecommit:BatchGet*",
                "codecommit:BatchDescribe*",
                "codecommit:Describe*",
                "codecommit:Get*",
                "codecommit:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "codecommit:BatchGet*",
                "codecommit:BatchDescribe*",
                "codecommit:Create*",
                "codecommit:DeleteFile",
                "codecommit:Describe*",
                "codecommit:EvaluatePullRequestApprovalRules",
                "codecommit:Get*",
                "codecommit:List*",
                "codecommit:Merge*",
                "codecommit:Put*",
                "codecommit:Post*",
                "codecommit:TagResource",
                "codecommit:Test*",
                "codecommit:UntagResource",
                "codecommit:Update*",
                "codecommit:GitPull",
                "codecommit:GitPush"
            ],
            "Resource": [
                "arn:aws:codecommit:ap-south-1:12345:Your-Repository-Name"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Deny",
            "Action": [
                "codecommit:MergeBranchesByFastForward",
                "codecommit:MergeBranchesBySquash",
                "codecommit:MergePullRequestBySquash",
                "codecommit:MergePullRequestByThreeWay",
                "codecommit:MergeBranchesByThreeWay",
                "codecommit:MergePullRequestByFastForward",
                "codecommit:PutFile",
                "codecommit:GitPush",
                "codecommit:DeleteBranch"
            ],
            "Resource": [
                "arn:aws:codecommit:ap-south-1:12345:Your-Repository-Name"
            ],
            "Condition": {
                "Null": {
                    "codecommit:References": "false"
                },
                "StringEqualsIfExists": {
                    "codecommit:References": [
                        "refs/heads/Brach-Name",
                        "refs/heads/Brach-Name",
                        "refs/heads/Brach-Name"
                    ]
                }
            }
        }
    ]
}

Enter fullscreen mode Exit fullscreen mode

2. Admin Group IAM Policy:

Part 1: Basic Read Access
Users are granted basic read access to AWS CodeCommit resources through the first portion of the IAM policy. This covers authorization for tasks including information retrieval in batches, repository descriptions, details retrieval, resource listing, and branch information retrieval. These rights are applied to every CodeCommit resource globally.

Part 2: Operations Specific to Repositories
A more extensive set of rights, specifically for a designated CodeCommit repository identified by its ARN, are granted to users by the IAM policy in the second section. Creating and removing files, outlining repository information, assessing pull request approval guidelines, merging branches, uploading and deleting files, tagging and untagging resources, testing functionality, updating repository information, and executing Git pulls and pushes are all included in this.

Part 3: Managing Branch Activities
Restrictions on a few crucial operations inside the designated CodeCommit repository are introduced in the third section. It is forbidden for users to add files, push updates, merge branches, and do other operations to the Git repository. This refusal, meanwhile, is conditional and only applies to branches other than main. This indicates that the aforementioned limitations apply to branches other than the “main” branch, providing for more regulated access to crucial functions on non-primary branches.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "codecommit:BatchGet*",
        "codecommit:BatchDescribe*",
        "codecommit:Describe*",
        "codecommit:Get*",
        "codecommit:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "codecommit:BatchGet*",
        "codecommit:BatchDescribe*",
        "codecommit:Create*",
        "codecommit:DeleteFile",
        "codecommit:Describe*",
        "codecommit:EvaluatePullRequestApprovalRules",
        "codecommit:Get*",
        "codecommit:List*",
        "codecommit:Merge*",
        "codecommit:Put*",
        "codecommit:Post*",
        "codecommit:TagResource",
        "codecommit:Test*",
        "codecommit:UntagResource",
        "codecommit:Update*",
        "codecommit:GitPull",
        "codecommit:GitPush",
        "codecommit:DeleteBranch"
      ],
      "Resource": [
        "arn:aws:codecommit:ap-south-1:12345:Your-Repository-Name"
      ]
    },
    {
      "Sid": "VisualEditor3",
      "Effect": "Deny",
      "Action": [
        "codecommit:MergeBranchesByFastForward",
        "codecommit:MergeBranchesBySquash",
        "codecommit:MergePullRequestBySquash",
        "codecommit:MergePullRequestByThreeWay",
        "codecommit:MergeBranchesByThreeWay",
        "codecommit:MergePullRequestByFastForward",
        "codecommit:PutFile",
        "codecommit:GitPush"
      ],
      "Resource": [
        "arn:aws:codecommit:ap-south-1:12345:Your-Repository-Name"
      ],
      "Condition": {
        "Null": {
          "codecommit:References": "false"
        },
        "StringEqualsIfExists": {
          "codecommit:References": [
            "refs/heads/main"
          ]
        }
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

3. Leads Group IAM Policy:

The linked leads group has unrestricted access to all AWS CodeCommit actions thanks to the supplied IAM policy. The Allow declaration for Action and Resource with the wildcard “*” essentially allows any CodeCommit activities on any repository in the AWS account. This wide access removes all restrictions and enables the designated entity to carry out any operation, including managing branches and updates and adding, removing, and altering repositories.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "codecommit:*",
            "Resource": "*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Thus far, we have observed three different user groups accessing Amazon CodeCommit for various purposes. I have also included the policy with a specific user group, which should provide you with some guidance on how to make a unique IAM policy allowing different users to access the Amazon codecommit. Simply update the resource section of the policy with the new branch and repository names.

Conclusion: This article expects that readers are familiar with the AWS CodeCommit Branching Strategy and covers IAM Policies for controlling branch access to Amazon CodeCommit. highlighting the admin group’s usual read-only access to the main branch and read-write access to others, it offers a useful guidance for creating customized access for individuals or groups. The post encourages readers to modify the policy by adding pertinent branch and repository names to the resource section for a smooth integration into their CodeCommit system. It also contains scenarios with three user groups and a sample IAM policy for reference.

— — — — — — — —

Here is the End!

Thank you for taking the time to read my article. I hope you found this article informative and helpful. As I continue to explore the latest developments in technology, I look forward to sharing my insights with you. Stay tuned for more articles like this one that break down complex concepts and make them easier to understand.

Remember, learning is a lifelong journey, and it’s important to keep up with the latest trends and developments to stay ahead of the curve. Thank you again for reading, and I hope to see you in the next article!

Happy Learning!

Top comments (2)

Collapse
 
sarvar_04 profile image
Sarvar

Thank You!