Can I use IAM condition keys for iam:*ServiceSpecificCredential to only allow creation of CodeCommit credentials?

Question

I am looking to allow people to create service specific credentials but want to restrict them to only being able to create credentials for the CodeCommit service. I see the "Resource": "arn:aws:iam::*:user/${aws:username}" restriction in many of the example policies, and in the sample response I see the <ServiceName> constraint in the JSON return. What I can't find though is if there's a way in the IAM policy granting permission to restrict authorization to just allowing CodeCommit credentials, as opposed to Amazon Keyspaces.

Is there a condition available to restrict this access? Thank you.

Answer

Unfortunately the documentation doesn't list any `Condition`s supported by that API method, which suggests you *cannot* limit it to just CodeCommit credentials (and not Keyspaces).

Depending on if you actually  use Keyspaces, could you potentially deny the users access to Keyspaces in the same policy, so that any created credentials would be useless?

Can I use IAM condition keys for iam:*ServiceSpecificCredential to only allow creation of CodeCommit credentials?

관련 콘텐츠