Is there any way to make IAM policy where user should not be allowed to push the code to the branch directly? They should only do it through pull request.
Asked
Active
Viewed 400 times
0
-
It depends on the hosting service. Gitlab and Github have a feature "Protected Branches". Gerrit has a permission category "Push". I think aws-codecommit also has such access controls. – ElpieKay Jul 28 '22 at 12:14
1 Answers
1
Yes, it is possible to ensure the only way of modifying your branches is through a PullRequest. You can achieve this by either removing the following permissions from your policy or adding an explicit Deny, in case you are using a AWS managed policy:
codecommit:MergeBranchesByFastForward
codecommit:MergeBranchesBySquash
codecommit:MergeBranchesByThreeWay
And making sure you have the permissions to merge a PullRequest:
codecommit:MergePullRequestByFastForward
codecommit:MergePullRequestBySquash
codecommit:MergePullRequestByThreeWay
Here the docs with the permissions for CodeCommit: https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-pr
palvarez
- 1,508
- 2
- 8
- 18