我正在尝试创建一个 IAM 策略来阻止用户在代码提交时对分支进行任何写入更改。如果能阻止读取访问就更好了,但我不知道是否能做到。我需要他们能够访问其他分支,但特别是其中一个分支,只能读取。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "codecommit:GitPull",
"Resource": "arn:aws:codecommit:us-east-1:9192919:mybranch"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"codecommit:MergePullRequestByFastForward",
"codecommit:PutFile",
"codecommit:GitPush",
"codecommit:DeleteBranch"
],
"Resource": "arn:aws:codecommit:us-east-1:9192919:mybranch",
"Condition": {
"Null": {
"codecommit:References": "false"
},
"StringEqualsIfExists": {
"codecommit:References": "refs/heads/prod1"
}
}
}
]
}
答案1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Regra1",
"Effect": "Allow",
"Action": "codecommit:GitPull", //flush git pul to your repo yourRepo
"Resource": [
"arn:aws:codecommit:us-east-1:256267233865:yourRepo"
],
"Condition": {
"StringNotEquals": {
"codecommit:References": [
"refs/heads/main",
"refs/heads/master"
]
}
}
},
{
"Sid": "Regra2",
"Effect": "Allow",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay",
"codecommit:CreateBranch"
],
"Resource": [
"arn:aws:codecommit:us-east-1:256267233865:yourRepo"
],
"Condition": { //blocks push, commit, merge to the yourRepo
"StringNotEquals": {
"codecommit:References": [
"refs/heads/main",
"refs/heads/master",
"refs/heads/homolog"
]
}
}
}
]
}