Working with test report permissions - AWS CodeBuild

Working with test report permissions

This topic describes important information about permissions related to test reporting.

Create a role for test reports

To run a test report, and to update a project to include test reports, your IAM role requires the following permissions. These permissions are included in the predefined AWS managed policies. If you want to add test reporting to an existing build project, you must add these permissions yourself.

  • CreateReportGroup

  • CreateReport

  • UpdateReport

  • BatchPutTestCases

To run a code coverage report, your IAM role must also include the BatchPutCodeCoverages permission.


BatchPutTestCases, CreateReport, UpdateReport, and BatchPutCodeCoverages are not public permissions. You cannot call a corresponding AWS CLI command or SDK method for these permissions.

To make sure you have these permissions, you can attach the following policy to your IAM role:

{ "Effect": "Allow", "Resource": [ "*" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }

We recommend that you restrict this policy to only those report groups you must use. The following restricts permissions to only the report groups with the two ARNs in the policy:

{ "Effect": "Allow", "Resource": [ "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-1", "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-2" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }

The following restricts permissions to only report groups created by running builds of a project named my-project:

{ "Effect": "Allow", "Resource": [ "arn:aws:codebuild:your-region:your-aws-account-id:report-group/my-project-*" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }

The CodeBuild service role specified in the project is used for permissions to upload to the S3 bucket.

You can specify permissions for the following test reporting CodeBuild API operations:

  • BatchGetReportGroups

  • BatchGetReports

  • CreateReportGroup

  • DeleteReportGroup

  • DeleteReport

  • DescribeTestCases

  • ListReportGroups

  • ListReports

  • ListReportsForReportGroup

  • UpdateReportGroup

For more information, see AWS CodeBuild permissions reference.

Test reporting permissions examples

For information about sample policies related to test reporting, see the following: