AWS CodeBuild
User Guide (API Version 2016-10-06)

Using Identity-Based Policies (IAM Policies) for CodeBuild

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform operations on AWS CodeBuild resources.

Important

We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your CodeBuild resources. For more information, see Overview of Managing Access Permissions to Your CodeBuild Resources.

The following shows an example of a permissions policy that allows a user to get information about build projects only in the us-east-2 region for account 123456789012 for any build project that starts with the name my:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

Permissions Required to Use the CodeBuild Console

A user who uses the AWS CodeBuild console must have a minimum set of permissions that allows the user to describe other AWS resources for the AWS account. You must have permissions from the following services:

  • AWS CodeBuild

  • Amazon CloudWatch

  • CodeCommit (if you are storing your source code in an AWS CodeCommit repository)

  • Amazon Elastic Container Registry (Amazon ECR) (if you are using a build environment that relies on a Docker image in an Amazon ECR repository)

  • Amazon Elastic Container Service (Amazon ECS) (if you are using a build environment that relies on a Docker image in an Amazon ECR repository)

  • AWS Identity and Access Management (IAM)

  • AWS Key Management Service (AWS KMS)

  • Amazon Simple Storage Service (Amazon S3)

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended.

Permissions Required for the CodeBuild Console to Connect to Source Providers

The AWS CodeBuild console uses the following API actions to connect to source providers (for example, GitHub repositories).

  • codebuild:ListConnectedOAuthAccounts

  • codebuild:ListRepositories

  • codebuild:PersistOAuthToken

  • codebuild:ImportSourceCredentials

You can associate source providers (such as GitHub repositories) with your build projects using the CodeBuild console. To do this, you must first add the preceding API actions to IAM access policies associated with the IAM user you use to access the CodeBuild console.

The ListConnectedOAuthAccounts, ListRepositories, and PersistOAuthToken API actions are not intended to be called by your code. Therefore, these API actions are not included in the AWS CLI and AWS SDKs.

AWS Managed (Predefined) Policies for CodeBuild

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to AWS CodeBuild.

  • AWSCodeBuildAdminAccess – Provides full access to CodeBuild including permissions to administrate CodeBuild build projects.

  • AWSCodeBuildDeveloperAccess – Provides access to CodeBuild but does not allow build project administration.

  • AWSCodeBuildReadOnlyAccess – Provides read-only access to CodeBuild.

To access build output artifacts that CodeBuild creates, you must also attach the AWS managed policy named AmazonS3ReadOnlyAccess.

To create and manage CodeBuild service roles, you must also attach the AWS managed policy named IAMFullAccess.

You can also create your own custom IAM policies to allow permissions for CodeBuild actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Customer-Managed Policy Examples

In this section, you can find example user policies that grant permissions for AWS CodeBuild actions. These policies work when you are using the CodeBuild API, AWS SDKs, or AWS CLI. When you are using the console, you must grant additional permissions specific to the console. For information, see Permissions Required to Use the CodeBuild Console.

You can use the following sample IAM policies to limit CodeBuild access for your IAM users and roles.

Allow a User to Get Information About Build Projects

The following example policy statement allows a user to get information about build projects only in the us-east-2 region for account 123456789012 for any build project that starts with the name my:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

Allow a User to Create Build Projects

The following example policy statement allows a user to create build projects with any name but only in the us-east-2 region for account 123456789012 and using only the specified CodeBuild service role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam:123456789012:role/CodeBuildServiceRole" } ] }

Allow a User to Delete Build Projects

The following example policy statement allows a user to delete build projects only in the us-east-2 region for account 123456789012 for any build project that starts with the name my:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

Allow a User to Get a List of Build Project Names

The following example policy statement allows a user to get a list of build project names for the same account:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListProjects", "Resource": "*" } ] }

Allow a User to Change Information About Build Projects

The following example policy statement allows a user to change information about build projects with any name but only in the us-east-2 region for account 123456789012 and using only the specified AWS CodeBuild service role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam:123456789012:role/CodeBuildServiceRole" } ] }

Allow a User to Get Information About Builds

The following example policy statement allows a user to get information about builds only in the us-east-2 region for account 123456789012 for the build projects named my-build-project and my-other-build-project:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetBuilds", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }

Allow a User to Get a List of Build IDs for a Build Project

The following example policy statement allows a user to get a list of build IDs only in the us-east-2 region for account 123456789012 for the build projects named my-build-project and my-other-build-project:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuildsForProject", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }

Allow a User to Get a List of Build IDs

The following example policy statement allows a user to get a list of all build IDs for the same account:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuilds", "Resource": "*" } ] }

Allow a User to Begin Running Builds

The following example policy statement allows a user to run builds only in the us-east-2 region for account 123456789012 for build project that starts with the name my:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StartBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

Allow a User to Attempt to Stop Builds

The following example policy statement allows a user to attempt to stop running builds only in the us-east-2 region for account 123456789012 for any build project that starts with the name my:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StopBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

Allow a User to Attempt to Delete Builds

The following example policy statement allows a user to attempt to delete builds only in the us-east-2 region for account 123456789012 for any build project that starts with the name my:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchDeleteBuilds", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

Allow a User to Get Information About Docker Images that Are Managed by CodeBuild

The following example policy statement allows a user to get information about all Docker images that are managed by CodeBuild:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListCuratedEnvironmentImages", "Resource": "*" } ] }

Allow CodeBuild Access to AWS Services Required to Create a VPC Network Interface

The following example policy statement grants AWS CodeBuild permission to create a network interface in an Amazon VPC with two subnets:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:region:account-id:network-interface/*", "Condition": { "StringEquals": { "ec2:Subnet": [ "arn:aws:ec2:region:account-id:subnet/subnet-id-1", "arn:aws:ec2:region:account-id:subnet/subnet-id-2" ], "ec2:AuthorizedService": "codebuild.amazonaws.com" } } } ] }

Use a Deny Statement to Prevent CodeBuild from Disconnecting from Source Providers

The following example policy statement uses a deny statement to prevent AWS CodeBuild from disconnecting from source providers. It uses codebuild:DeleteOAuthToken, which is the inverse of codebuild:PersistOAuthToken and codebuild:ImportSourceCredentials, to connect with source providers. For more information, see Permissions Required for the CodeBuild Console to Connect to Source Providers.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "codebuild:DeleteOAuthToken", "Resource": "*" } ] }