Block read access to a branch in a CodeCommit Repository

Question

I have created a repository in CodeCommit. It has one master branch and a few other branches such as module-1, module-2, module-3, module-4, and module-5. I have created 3 groups(org-1, org-2, org-3) and each group has 10 users. Now I am trying to figure out to achieve the following level of restriction.

module-1 - org-1 users only - view and modify

module-2 - org-2 users only - view and modify

module-3 - org-3 users only - view and modify

module-4 - org-1 users and org-2 users only - view and modify

module-5 - all group users can access - read-only

I am trying to enforce policies but can not achieve this. I can block write access successfully, but when it comes to blocking read access for a particular branch and making a branch invisible for a certain user group, cannot achieve that.  Can you please help me with this scenario? Thanks in advance.

Answer

Hello,

Review the IAM actions for CodeCommit [1] and you will see access control at the branch level is limited to write actions only.  Unfortunately, read actions are limited to just the repository and cannot get more granular.  If you wish to control read access, it will be necessary to break out the branches to separate repositories.

[1] https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodecommit.html

Block read access to a branch in a CodeCommit Repository

관련 콘텐츠