Can I use IAM condition keys for iam:*ServiceSpecificCredential to only allow creation of CodeCommit credentials?

1

I am looking to allow people to create service specific credentials but want to restrict them to only being able to create credentials for the CodeCommit service. I see the "Resource": "arn:aws:iam::*:user/${aws:username}" restriction in many of the example policies, and in the sample response I see the <ServiceName> constraint in the JSON return. What I can't find though is if there's a way in the IAM policy granting permission to restrict authorization to just allowing CodeCommit credentials, as opposed to Amazon Keyspaces.

Is there a condition available to restrict this access? Thank you.

1 回答
0

Unfortunately the documentation doesn't list any Conditions supported by that API method, which suggests you cannot limit it to just CodeCommit credentials (and not Keyspaces).

Depending on if you actually use Keyspaces, could you potentially deny the users access to Keyspaces in the same policy, so that any created credentials would be useless?

profile picture
rowanu
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则