class aws_cdk.aws_codebuild.LinuxBuildImage(*args: Any, **kwargs)

Bases: object

A CodeBuild image running x86-64 Linux.

This class has a bunch of public constants that represent the most popular images.

You can also specify a custom image using one of the static methods:

  • LinuxBuildImage.fromDockerRegistry(image[, { secretsManagerCredentials }])

  • LinuxBuildImage.fromEcrRepository(repo[, tag])

  • LinuxBuildImage.fromAsset(parent, id, props)





pipeline = pipelines.CodePipeline(self, "Pipeline",
        input=pipelines.CodePipelineSource.connection("my-org/my-app", "main",
        commands=["npm ci", "npm run build", "npx cdk synth"]

    # Turn this on because the pipeline uses Docker image assets

                # The user of a Docker image asset in the pipeline requires turning on
                # 'dockerEnabledForSelfMutation'.
                build_image=codebuild.LinuxBuildImage.from_asset(self, "Image",



Make a buildspec to run the indicated script.


entrypoint (str) –

Return type:


validate(*, build_image=None, certificate=None, compute_type=None, environment_variables=None, fleet=None, privileged=None)

Allows the image a chance to validate whether the passed configuration is correct.

  • build_image (Optional[IBuildImage]) – The image used for the builds. Default: LinuxBuildImage.STANDARD_1_0

  • certificate (Union[BuildEnvironmentCertificate, Dict[str, Any], None]) – The location of the PEM-encoded certificate for the build project. Default: - No external certificate is added to the project

  • compute_type (Optional[ComputeType]) – The type of compute to use for this build. See the ComputeType enum for the possible values. Default: taken from #buildImage#defaultComputeType

  • environment_variables (Optional[Mapping[str, Union[BuildEnvironmentVariable, Dict[str, Any]]]]) – The environment variables that your builds can use.

  • fleet (Optional[IFleet]) – Fleet resource for a reserved capacity CodeBuild project. Fleets allow for process builds or tests to run immediately and reduces build durations, by reserving compute resources for your projects. You will be charged for the resources in the fleet, even if they are idle. Default: - No fleet will be attached to the project, which will remain on-demand.

  • privileged (Optional[bool]) – Indicates how the project builds Docker images. Specify true to enable running the Docker daemon inside a Docker container. This value must be set to true only if this build project will be used to build Docker images, and the specified build environment image is not one provided by AWS CodeBuild with Docker support. Otherwise, all associated builds that attempt to interact with the Docker daemon will fail. Default: false

Return type:



AMAZON_LINUX_2 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
AMAZON_LINUX_2_2 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
AMAZON_LINUX_2_3 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
AMAZON_LINUX_2_4 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
AMAZON_LINUX_2_5 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
AMAZON_LINUX_2_CORETTO_11 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
AMAZON_LINUX_2_CORETTO_8 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_1_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_2_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_3_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_4_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_5_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_6_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>
STANDARD_7_0 = <aws_cdk.aws_codebuild.LinuxBuildImage object>

The default ComputeType to use with this image, if one was not specified in BuildEnvironment#computeType explicitly.


The Docker image identifier that the build environment uses.


The type of principal that CodeBuild will use to pull this build Docker image.


An optional ECR repository that the image is hosted in.


The secretsManagerCredentials for access to a private registry.


The type of build environment.

Static Methods

classmethod from_asset(scope, id, *, directory, asset_name=None, build_args=None, build_secrets=None, build_ssh=None, cache_disabled=None, cache_from=None, cache_to=None, file=None, invalidation=None, network_mode=None, outputs=None, platform=None, target=None, extra_hash=None, exclude=None, follow_symlinks=None, ignore_mode=None)

Uses an Docker image asset as a x86-64 Linux build image.

  • scope (Construct) –

  • id (str) –

  • directory (str) – The directory where the Dockerfile is stored. Any directory inside with a name that matches the CDK output folder (cdk.out by default) will be excluded from the asset

  • asset_name (Optional[str]) – Unique identifier of the docker image asset and its potential revisions. Required if using AppScopedStagingSynthesizer. Default: - no asset name

  • build_args (Optional[Mapping[str, str]]) – Build args to pass to the docker build command. Since Docker build arguments are resolved before deployment, keys and values cannot refer to unresolved tokens (such as lambda.functionArn or queue.queueUrl). Default: - no build args are passed

  • build_secrets (Optional[Mapping[str, str]]) – Build secrets. Docker BuildKit must be enabled to use build secrets. Default: - no build secrets

  • build_ssh (Optional[str]) – SSH agent socket or keys to pass to the docker build command. Docker BuildKit must be enabled to use the ssh flag Default: - no –ssh flag

  • cache_disabled (Optional[bool]) – Disable the cache and pass --no-cache to the docker build command. Default: - cache is used

  • cache_from (Optional[Sequence[Union[DockerCacheOption, Dict[str, Any]]]]) – Cache from options to pass to the docker build command. Default: - no cache from options are passed to the build command

  • cache_to (Union[DockerCacheOption, Dict[str, Any], None]) – Cache to options to pass to the docker build command. Default: - no cache to options are passed to the build command

  • file (Optional[str]) – Path to the Dockerfile (relative to the directory). Default: ‘Dockerfile’

  • invalidation (Union[DockerImageAssetInvalidationOptions, Dict[str, Any], None]) – Options to control which parameters are used to invalidate the asset hash. Default: - hash all parameters

  • network_mode (Optional[NetworkMode]) – Networking mode for the RUN commands during build. Support docker API 1.25+. Default: - no networking mode specified (the default networking mode NetworkMode.DEFAULT will be used)

  • outputs (Optional[Sequence[str]]) – Outputs to pass to the docker build command. Default: - no outputs are passed to the build command (default outputs are used)

  • platform (Optional[Platform]) – Platform to build for. Requires Docker Buildx. Default: - no platform specified (the current machine architecture will be used)

  • target (Optional[str]) – Docker target to build to. Default: - no target

  • extra_hash (Optional[str]) – Extra information to encode into the fingerprint (e.g. build instructions and other inputs). Default: - hash is only based on source content

  • exclude (Optional[Sequence[str]]) – File paths matching the patterns will be excluded. See ignoreMode to set the matching behavior. Has no effect on Assets bundled using the bundling property. Default: - nothing is excluded

  • follow_symlinks (Optional[SymlinkFollowMode]) – A strategy for how to handle symlinks. Default: SymlinkFollowMode.NEVER

  • ignore_mode (Optional[IgnoreMode]) – The ignore behavior to use for exclude patterns. Default: IgnoreMode.GLOB

Return type:


classmethod from_code_build_image_id(id)

Uses a Docker image provided by CodeBuild.


id (str) – The image identifier.

Return type:



A Docker image provided by CodeBuild.



classmethod from_docker_registry(name, *, secrets_manager_credentials=None)
  • name (str) –

  • secrets_manager_credentials (Optional[ISecret]) – The credentials, stored in Secrets Manager, used for accessing the repository holding the image, if the repository is private. Default: no credentials will be used (we assume the repository is public)

Return type:



a x86-64 Linux build image from a Docker Hub image.

classmethod from_ecr_repository(repository, tag_or_digest=None)
  • repository (IRepository) – The ECR repository.

  • tag_or_digest (Optional[str]) – Image tag or digest (default “latest”, digests must start with sha256:).

Return type:



A x86-64 Linux build image from an ECR repository.

NOTE: if the repository is external (i.e. imported), then we won’t be able to add a resource policy statement for it so CodeBuild can pull the image.