By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can I use IAM condition keys for iam:*ServiceSpecificCredential to only allow creation of CodeCommit credentials?

1

I am looking to allow people to create service specific credentials but want to restrict them to only being able to create credentials for the CodeCommit service. I see the "Resource": "arn:aws:iam::*:user/${aws:username}" restriction in many of the example policies, and in the sample response I see the <ServiceName> constraint in the JSON return. What I can't find though is if there's a way in the IAM policy granting permission to restrict authorization to just allowing CodeCommit credentials, as opposed to Amazon Keyspaces.

Is there a condition available to restrict this access? Thank you.

Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS CodeCommitAWS Identity and Access ManagementIAM Policies
Language
English
mikewest82
asked a year ago218 views
1 Answer
0

Unfortunately the documentation doesn't list any Conditions supported by that API method, which suggests you cannot limit it to just CodeCommit credentials (and not Keyspaces).

Depending on if you actually use Keyspaces, could you potentially deny the users access to Keyspaces in the same policy, so that any created credentials would be useless?

profile picture
rowanu
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content