为 Amazon CodeBuild 使用基于身份的策略 - Amazon CodeBuild
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon CodeBuild 使用基于身份的策略

本主题提供了基于身份的策略的示例,这些示例展示了账户管理员如何将权限策略附加到 IAM 身份(即用户、组和角色),从而授予对 Amazon CodeBuild 资源执行操作的权限。

重要

我们建议您首先阅读以下介绍性主题,这些主题说明了可用于管理您访问的基本概念和选项。 CodeBuild 资源的费用。有关更多信息,请参阅 管理 Amazon CodeBuild 资源的访问权限的概述

以下是一个权限策略示例,仅允许用户在 123456789012 账户的 us-east-2 区域中获取任何以 my 名称开头的构建项目的相关信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

使用 Amazon CodeBuild 控制台所需的权限

使用 Amazon CodeBuild 控制台的用户必须拥有一组最低权限,这些权限允许用户描述 Amazon 账户的其他 Amazon 资源。您必须拥有来自以下服务的权限:

  • Amazon CodeBuild

  • Amazon CloudWatch

  • CodeCommit (如果您要将源代码存储在Amazon CodeCommit存储库)

  • Amazon EElastic Container Registry (Amazon ECR) (如果您要使用依赖于 Amazon ECR 存储库中 Docker 镜像的构建环境)

  • Amazon EElastic Container Service (Amazon ECS) (如果您要使用依赖于 Amazon ECR 存储库中 Docker 镜像的构建环境)

  • Amazon Identity and Access Management (IAM)

  • Amazon Key Management Service (Amazon KMS)

  • Amazon Simple Storage Service (Amazon S3)

如果您创建比必需的最低权限更为严格的 IAM 策略,控制台将无法按预期正常运行。

Amazon CodeBuild 控制台连接到源提供程序所需的权限

这些区域有:Amazon CodeBuild控制台使用以下 API 操作连接到源提供程序(例如, GitHub 存储库)。

  • codebuild:ListConnectedOAuthAccounts

  • codebuild:ListRepositories

  • codebuild:PersistOAuthToken

  • codebuild:ImportSourceCredentials

你可以关联来源提供商(例如 GitHub 存储库)使用你的构建项目Amazon CodeBuild控制台。要执行此操作,您必须先将上述 API 操作添加到与用于访问的 IAM 用户关联的 IAM 访问策略。Amazon CodeBuild控制台。

ListConnectedOAuthAccountsListRepositoriesPersistOAuthToken API 操作不应由您的代码调用。因此,这些 API 操作未包含在 Amazon CLI 和 Amazon 开发工具包中。

适用于 Amazon CodeBuild 的 Amazon 托管(预定义)策略

Amazon通过提供由创建和管理的独立 IAM 策略来满足许多常用案例的要求。Amazon这些 Amazon 托管策略可授予常用案例的必要权限,因此,您可以免去调查都需要哪些权限的工作。的托管策略 CodeBuild 还提供在其他服务中执行操作的权限,例如 IAM,Amazon CodeCommit、Amazon EC2、Amazon ECR、Amazon SNS 和 Amazon CloudWatch 按照授予相关策略的用户职责所必需的事件。例如,AWSCodeBuildAdminAccess策略是管理级用户策略,允许具有此策略的用户为项目构建创建和管理 CloudWatch 事件规则,并为项目相关事件通知创建和管理 Amazon SNS 主题(名称前缀为的主题)。arn:aws:codebuild:),以及在 CodeBuild 中管理项目和报告组。有关更多信息,请参阅《IAM 用户指南》中的 Amazon 托管策略

以下 Amazon 托管策略(可附加到账户中的用户)特定于 Amazon CodeBuild:

AWSCodeBuildAdminAccess

提供对的完全访问 CodeBuild 包括管理权限 CodeBuild 构建项目。

AWSCodeBuildDeveloperAccess

提供访问权限 CodeBuild 但不允许对构建项目进行管理。

AWSCodeBuildReadOnlyAccess

提供对 CodeBuild 的只读访问权。

要访问构建输出工件 CodeBuild 创建,您还必须附加Amazon名为的托管策略AmazonS3ReadOnlyAccess.

创建和管理 CodeBuild 服务角色,您还必须附加Amazon名为的托管策略IAMFullAccess.

此外,您还可以创建自定义 IAM 策略,以授予对 CodeBuild 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。

AWSCodeBuildAdminAccess

这些区域有:AWSCodeBuildAdminAccess策略提供对 CodeBuild 的完全访问权限,包括管理权限 CodeBuild 构建项目。仅对管理级别的用户应用此策略,以授予他们完全控制权 CodeBuild 您的项目、报告组和相关资源Amazon账户,包括删除项目和报告组的能力。

AWSCodeBuildAdminAccess 策略包含以下策略语句:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codebuild:*", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "codecommit:ListBranches", "codecommit:ListRepositories", "cloudwatch:GetMetricStatistics", "ec2:DescribeVpcs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ecr:DescribeRepositories", "ecr:ListImages", "elasticfilesystem:DescribeFileSystems", "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "logs:GetLogEvents", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:DeleteLogGroup" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:log-group:/aws/codebuild/*:log-stream:*" }, { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*" }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "CodeStarConnectionsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:DeleteConnection", "codestar-connections:UpdateConnectionInstallation", "codestar-connections:TagResource", "codestar-connections:UntagResource", "codestar-connections:ListConnections", "codestar-connections:ListInstallationTargets", "codestar-connections:ListTagsForResource", "codestar-connections:GetConnection", "codestar-connections:GetIndividualAccessToken", "codestar-connections:GetInstallationUrl", "codestar-connections:PassConnection", "codestar-connections:StartOAuthHandshake", "codestar-connections:UseConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ] }

AWSCodeBuildDeveloperAccess

这些区域有:AWSCodeBuildDeveloperAccess策略允许访问的所有功能 CodeBuild 以及与组相关的资源。该策略不允许用户删除 CodeBuild 项目或报告组,或其他相关资源Amazon服务,例如 CloudWatch 事件。建议对大多数用户应用此策略。

AWSCodeBuildDeveloperAccess 策略包含以下策略语句:

{ "Statement": [ { "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", "codebuild:StartBuildBatch", "codebuild:StopBuildBatch", "codebuild:RetryBuild", "codebuild:RetryBuildBatch", "codebuild:BatchGet*", "codebuild:GetResourcePolicy", "codebuild:DescribeTestCases", "codebuild:DescribeCodeCoverages", "codebuild:List*", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "codecommit:ListBranches", "cloudwatch:GetMetricStatistics", "events:DescribeRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "logs:GetLogEvents", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*" }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "CodeStarConnectionsUserAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ], "Version": "2012-10-17" }

AWSCodeBuildReadOnlyAccess

这些区域有:AWSCodeBuildReadOnlyAccess策略授予只读访问权限 CodeBuild 以及其他的相关资源Amazon服务。将此策略应用于可以查看和运行构建、查看项目和查看报告组但无法对它们作出任何更改的用户。

AWSCodeBuildReadOnlyAccess 策略包含以下策略语句:

{ "Statement": [ { "Action": [ "codebuild:BatchGet*", "codebuild:GetResourcePolicy", "codebuild:List*", "codebuild:DescribeTestCases", "codebuild:DescribeCodeCoverages", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "cloudwatch:GetMetricStatistics", "events:DescribeRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "CodeStarConnectionsUserAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" } ], "Version": "2012-10-17" }

CodeBuild 托管策略和通知

CodeBuild 支持通知功能,可以向用户通知构建项目的重要更改。适用于 的托管策略 CodeBuild 包含有关通知功能的策略语句。有关更多信息,请参阅什么是通知?

完全访问托管策略中的通知的相关权限

AWSCodeBuildFullAccess 托管策略包含以下语句,以允许对通知进行完全访问。已应用此托管策略的用户还可以创建和管理通知的 Amazon SNS 主题、为用户订阅和取消订阅主题、列出要选择作为通知规则目标的主题,以及列出该主题。Amazon Chatbot为 Slack 配置的客户端。

{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }

只读托管策略中的通知的相关权限

AWSCodeBuildReadOnlyAccess 托管策略包含以下语句,以允许对通知进行只读访问。应用此托管策略的用户可以查看资源的通知,但无法创建、管理或订阅这些通知。

{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }

其他托管策略中的通知的相关权限

AWSCodeBuildDeveloperAccess 托管策略包含以下语句,以允许用户创建、编辑和订阅通知。用户无法删除通知规则或管理资源的标签。

{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }

有关 IAM 和通知的更多信息,请参阅适用于 Identity and Access Management AWS CodeStar 通知.

客户托管的策略示例

本节的用户策略示例介绍如何授予执行 Amazon CodeBuild 操作的权限。当您使用时,可以使用这些策略。 CodeBuild API,Amazon开发工具包,或者Amazon CLI. 当您使用控制台时,您必须授予特定于控制台的其他权限。有关信息,请参阅使用 Amazon CodeBuild 控制台所需的权限

您可以使用以下示例 IAM 策略来限制: CodeBuild 适用于 IAM 用户和角色的访问权限。

允许用户获取有关构建项目的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取任何以名称 my 开头的构建项目的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户获取有关报告组的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告组的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetReportGroups", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户获取有关报告的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetReports", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户创建构建项目

以下示例策略语句允许用户创建使用任何名称的构建项目,但只能在us-east-2账户的区域123456789012并且只能使用指定 CodeBuild 服务角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole" } ] }

允许用户创建报告组

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中创建报告组:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户删除报告组

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中删除报告组:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户删除报告

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中删除报告:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteReport", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户删除构建项目

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中删除任何以名称 my 开头的构建项目:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户获取构建项目名称的列表

以下示例策略语句允许用户获取同一账户的构建项目名称的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListProjects", "Resource": "*" } ] }

允许用户更改有关构建项目的信息

以下示例策略语句仅允许用户在 123456789012 账户的 us-east-2 区域中更改有关使用任何名称的构建项目的信息,并且只能使用指定的 Amazon CodeBuild 服务角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole" } ] }

允许用户更改报告组

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中更改报告组:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户获取有关构建的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取名为 my-build-projectmy-other-build-project 的构建项目的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetBuilds", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }

允许用户获取构建项目的构建 ID 的列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取名为 my-build-projectmy-other-build-project 的构建项目的构建 ID 列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuildsForProject", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }

允许用户获取构建 ID 的列表

以下示例策略语句允许用户获取同一账户的所有构建 ID 的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuilds", "Resource": "*" } ] }

允许用户获取报告组列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告组的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReportGroups", "Resource": "*" } ] }

允许用户获取报告列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReports", "Resource": "*" } ] }

允许用户获取报告组的报告列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取报告组的报告列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReportsForReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户获取报告的测试用例的列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取报告的测试用例列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DescribeTestCases", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户开始运行构建

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中运行任何以名称 my 开头的构建项目:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StartBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户尝试停止构建

以下示例策略语句仅允许用户在 123456789012 账户的 us-east-2 区域中尝试停止任何以名称 my 开头的运行中构建项目:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StopBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户尝试删除构建

以下示例策略语句仅允许用户在 123456789012 账户的 us-east-2 区域中尝试为任何以名称 my 开头的构建项目删除构建:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchDeleteBuilds", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户获取有关由 CodeBuild 管理的 Docker 映像的信息

以下示例策略语句允许用户获取有关由 CodeBuild 管理的所有 Docker 镜像的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListCuratedEnvironmentImages", "Resource": "*" } ] }

Allow CodeBuild 访问以查看Amazon创建 VPC 网络接口时所需的服务

以下示例策略语句向 Amazon CodeBuild 授予在一个包含两个子网的 VPC 中创建网络接口的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:region:account-id:network-interface/*", "Condition": { "StringEquals": { "ec2:AuthorizedService": "codebuild.amazonaws.com" }, "ArnEquals": { "ec2:Subnet": [ "arn:aws:ec2:region:account-id:subnet/subnet-id-1", "arn:aws:ec2:region:account-id:subnet/subnet-id-2" ] } } } ] }

使用 Deny 语句可阻止 Amazon CodeBuild 与源提供程序断开连接

以下示例策略语句使用 Deny 语句阻止 Amazon CodeBuild 与源提供程序断开连接。它使用 codebuild:DeleteOAuthTokencodebuild:PersistOAuthTokencodebuild:ImportSourceCredentials 的倒数)连接到源提供程序。有关更多信息,请参阅 Amazon CodeBuild 控制台连接到源提供程序所需的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "codebuild:DeleteOAuthToken", "Resource": "*" } ] }