Working with test report permissions

This topic describes important information about permissions related to test reporting.

Create a role for test reports

To run a test report, and to update a project to include test reports, your IAM role requires the following permissions. These permissions are included in the predefined AWS managed policies. If you want to add test reporting to an existing build project, you must add these permissions yourself.

• CreateReportGroup

• CreateReport

• UpdateReport

• BatchPutTestCases

To run a code coverage report, your IAM role must also include the BatchPutCodeCoverages permission.

Note

BatchPutTestCases, CreateReport, UpdateReport, and BatchPutCodeCoverages are not public permissions. You cannot call a corresponding AWS CLI command or SDK method for these permissions.

To make sure you have these permissions, you can attach the following policy to your IAM role:

{
    "Effect": "Allow",
    "Resource": [
        "*"
    ],
    "Action": [
        "codebuild:CreateReportGroup",
        "codebuild:CreateReport",
        "codebuild:UpdateReport",
        "codebuild:BatchPutTestCases",
        "codebuild:BatchPutCodeCoverages"
    ]
}

We recommend that you restrict this policy to only those report groups you must use. The following restricts permissions to only the report groups with the two ARNs in the policy:

{
    "Effect": "Allow",
    "Resource": [
        "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-1",
        "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-2"
    ],
    "Action": [
        "codebuild:CreateReportGroup",
        "codebuild:CreateReport",
        "codebuild:UpdateReport",
        "codebuild:BatchPutTestCases",
        "codebuild:BatchPutCodeCoverages"
    ]
}

The following restricts permissions to only report groups created by running builds of a project named my-project:

{
    "Effect": "Allow",
    "Resource": [
        "arn:aws:codebuild:your-region:your-aws-account-id:report-group/my-project-*"
    ],
    "Action": [
        "codebuild:CreateReportGroup",
        "codebuild:CreateReport",
        "codebuild:UpdateReport",
        "codebuild:BatchPutTestCases",
        "codebuild:BatchPutCodeCoverages"
    ]
}

Note

The CodeBuild service role specified in the project is used for permissions to upload to the S3 bucket.

Permissions for test reporting operations

You can specify permissions for the following test reporting CodeBuild API operations:

• BatchGetReportGroups

• BatchGetReports

• CreateReportGroup

• DeleteReportGroup

• DeleteReport

• DescribeTestCases

• ListReportGroups

• ListReports

• ListReportsForReportGroup

• UpdateReportGroup

For more information, see AWS CodeBuild permissions reference.

Test reporting permissions examples

For information about sample policies related to test reporting, see the following:

• Allow a user to change a report group

• Allow a user to create a report group

• Allow a user to delete a report

• Allow a user to delete a report group

• Allow a user to get information about report groups

• Allow a user to get information about reports

• Allow a user to get a list of report groups

• Allow a user to get a list of reports

• Allow a user to get a list of reports for a report group

• Allow a user to get a list of test cases for a report