By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

codecommit Access denied with an non existent explicit Deny

0

I am trying to perform a git pull action and I get the warning: Access denied: User: arn:aws:iam::account:user/username is not authorized to perform: codecommit:GitPull on resource: arn:aws:codecommit:region:account:repo with an explicit deny in an identity-based policy fatal: Could not read from remote repository.

but none of my permissions contain an explicit deny. In fact there is an explicit allow for codecommit:* to the repo in on of my policies. I have an mfa policy, but it allows access to codecommit:* without mfa. Any help would be greatly appreciated

Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS CodeCommitAWS Identity and Access ManagementIAM Policies
Language
English
Nyall
asked 4 months ago263 views
1 Answer
0

Hello.

Since CodeCommit is encrypted with KMS, you need to configure IAM policy to allow KMS operations.
https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html
https://docs.aws.amazon.com/codecommit/latest/userguide/encryption.html

So, I don't know what your policy settings are currently, but I think it will work if you set it as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListActions",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/*",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "codecommit:*"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "kms:ViaService": "true"
                },
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content