为 Amazon CodeBuild 使用基于身份的策略 - Amazon CodeBuild
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon CodeBuild 使用基于身份的策略

本主题提供了基于身份的策略的示例,这些示例展示了账户管理员如何将权限策略附加到 IAM 身份(即用户、组和角色),从而授予对 Amazon CodeBuild 资源执行操作的权限。

重要

我们建议您首先阅读以下介绍性主题,这些主题讲解了管理 CodeBuild 资源访问的基本概念和选项。有关更多信息,请参阅管理 Amazon CodeBuild 资源的访问权限的概述

以下是一个权限策略示例,仅允许用户在 123456789012 账户的 us-east-2 区域中获取任何以 my 名称开头的构建项目的相关信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

使用 Amazon CodeBuild 控制台所需的权限

使用 Amazon CodeBuild 控制台的用户必须拥有一组最低权限,这些权限允许用户描述 Amazon 账户的其他 Amazon 资源。您必须拥有来自以下服务的权限:

  • Amazon CodeBuild

  • Amazon CloudWatch

  • CodeCommit(如果您要将源代码存储在Amazon CodeCommit存储库)

  • Amazon EElastic Container Registry (Amazon ECR) (如果您要使用依赖于 Amazon ECR 存储库中 Docker 映像的构建环境)

  • Amazon EElastic Container Service (Amazon ECS) (如果您要使用依赖于 Amazon ECR 存储库中 Docker 映像的构建环境)

  • Amazon Identity and Access Management (IAM)

  • Amazon Key Management Service (Amazon KMS)

  • Amazon Simple Storage Service (Amazon S3)

如果您创建比必需的最低权限更为严格的 IAM 策略,控制台将无法按预期正常运行。

Amazon CodeBuild 控制台连接到源提供程序所需的权限

Amazon CodeBuild 控制台使用以下 API 操作连接到源提供程序 (例如,GitHub 存储库)。

  • codebuild:ListConnectedOAuthAccounts

  • codebuild:ListRepositories

  • codebuild:PersistOAuthToken

  • codebuild:ImportSourceCredentials

您可以使用 Amazon CodeBuild 控制台将源提供程序(如 GitHub 存储库)与您的构建项目相关联。为此,您必须先将上述 API 操作添加到与用于访问Amazon CodeBuild控制台。

ListConnectedOAuthAccountsListRepositoriesPersistOAuthToken API 操作不应由您的代码调用。因此,这些 API 操作未包含在 Amazon CLI 和 Amazon 开发工具包中。

适用于 Amazon CodeBuild 的 Amazon 托管(预定义)策略

Amazon通过提供由Amazon创建和管理的独立 IAM 策略来满足许多常用案例的要求。这些 Amazon 托管策略可授予常用案例的必要权限,因此,您可以免去调查都需要哪些权限的工作。CodeBuild 的托管策略还提供在其他服务(如 IAM)中执行操作的权限。Amazon CodeCommit、Amazon EC2、Amazon ECR、Amazon SNS 和 Amazon CloudWatch Events,这是授予了相关策略的用户职责所必需的。例如,AWSCodeBuildAdminAccess策略是管理级用户策略,允许具有此策略的用户为项目构建创建和管理 CloudWatch 事件规则,并为项目相关事件通知创建和管理 Amazon SNS 主题(名称前缀为的主题)。arn:aws:codebuild:),以及在 CodeBuild 中管理项目和报告组。有关更多信息,请参阅 IAM 用户指南中的Amazon托管策略

以下 Amazon 托管策略(可附加到账户中的用户)特定于 Amazon CodeBuild:

awscodeBuilder 管理员访问

提供对 CodeBuild 的完全访问权限,包括管理 CodeBuild 构建项目的权限。

awscodeBuilder 开发人员访问

提供对 CodeBuild 的访问权限,但不允许对构建项目进行管理

AWScodeBuild 只读访问

提供对 CodeBuild 的只读访问权限

要访问 CodeBuild 创建的构建输出项目,您还必须挂载Amazon命名的托管策略AmazonS3ReadOnlyAccess.

要创建和管理 CodeBuild 服务角色,您还必须附加Amazon命名的托管策略IAMFullAccess.

此外,您还可以创建自定义 IAM 策略,以授予 CodeBuild 操作和资源的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户或组。

AWSCodeBuildAdminAccess

这些区域有:AWSCodeBuildAdminAccess策略提供对 CodeBuild 的完全访问权限,包括管理 CodeBuild 构建项目的权限。仅将此策略应用于管理级用户,授予其对 CodeBuild 项目、报告组和您的相关资源的完全控制权限。Amazon账户,包括删除项目和报告组的能力。

AWSCodeBuildAdminAccess 策略包含以下策略语句:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codebuild:*", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "codecommit:ListBranches", "codecommit:ListRepositories", "cloudwatch:GetMetricStatistics", "ec2:DescribeVpcs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ecr:DescribeRepositories", "ecr:ListImages", "elasticfilesystem:DescribeFileSystems", "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "logs:GetLogEvents", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:DeleteLogGroup" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:log-group:/aws/codebuild/*:log-stream:*" }, { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*" }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "CodeStarConnectionsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-connections:CreateConnection", "codestar-connections:DeleteConnection", "codestar-connections:UpdateConnectionInstallation", "codestar-connections:TagResource", "codestar-connections:UntagResource", "codestar-connections:ListConnections", "codestar-connections:ListInstallationTargets", "codestar-connections:ListTagsForResource", "codestar-connections:GetConnection", "codestar-connections:GetIndividualAccessToken", "codestar-connections:GetInstallationUrl", "codestar-connections:PassConnection", "codestar-connections:StartOAuthHandshake", "codestar-connections:UseConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ] }

AWSCodeBuildDeveloperAccess

这些区域有:AWSCodeBuildDeveloperAccess策略允许访问 CodeBuild 的所有功能,以及与项目和报告组相关的资源。此策略不允许用户删除 CodeBuild 项目或报告组,或其他中的相关资源。Amazon服务,例如 CloudWatch 事件。建议对大多数用户应用此策略。

AWSCodeBuildDeveloperAccess 策略包含以下策略语句:

{ "Statement": [ { "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", "codebuild:StartBuildBatch", "codebuild:StopBuildBatch", "codebuild:RetryBuild", "codebuild:RetryBuildBatch", "codebuild:BatchGet*", "codebuild:GetResourcePolicy", "codebuild:DescribeTestCases", "codebuild:DescribeCodeCoverages", "codebuild:List*", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "codecommit:ListBranches", "cloudwatch:GetMetricStatistics", "events:DescribeRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "logs:GetLogEvents", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*" }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Sid": "CodeStarConnectionsUserAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" } ], "Version": "2012-10-17" }

AWSCodeBuildReadOnlyAccess

这些区域有:AWSCodeBuildReadOnlyAccess策略为授予对 CodeBuild 和其他相关资源的只读访问权限Amazon服务。将此策略应用于可以查看和运行构建、查看项目和查看报告组但无法对它们作出任何更改的用户。

AWSCodeBuildReadOnlyAccess 策略包含以下策略语句:

{ "Statement": [ { "Action": [ "codebuild:BatchGet*", "codebuild:GetResourcePolicy", "codebuild:List*", "codebuild:DescribeTestCases", "codebuild:DescribeCodeCoverages", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "cloudwatch:GetMetricStatistics", "events:DescribeRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "logs:GetLogEvents" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "CodeStarConnectionsUserAccess", "Effect": "Allow", "Action": [ "codestar-connections:ListConnections", "codestar-connections:GetConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition": { "StringLike": { "codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*" } } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" } ], "Version": "2012-10-17" }

CodeBuild 托管策略和通知

CodeBuild 支持通知功能,可以向用户通知构建项目的重要更改。CodeBuild 托管策略包含通知功能的策略语句。有关更多信息,请参阅什么是通知?

完全访问托管策略中的通知的相关权限

AWSCodeBuildFullAccess 托管策略包含以下语句,以允许对通知进行完全访问。已应用此托管策略的用户还可以创建和管理 Amazon SNS 主题以获取通知、为用户订阅和取消订阅主题、列出要选择作为通知规则目标的主题。Amazon Chatbot为 Slack 配置的客户端。

{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:DeleteNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsSNSTopicCreateAccess", "Effect": "Allow", "Action": [ "sns:CreateTopic", "sns:SetTopicAttributes" ], "Resource": "arn:aws:sns:*:*:codestar-notifications*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }

只读托管策略中的通知的相关权限

AWSCodeBuildReadOnlyAccess 托管策略包含以下语句,以允许对通知进行只读访问。应用此托管策略的用户可以查看资源的通知,但无法创建、管理或订阅这些通知。

{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }

其他托管策略中的通知的相关权限

AWSCodeBuildDeveloperAccess 托管策略包含以下语句,以允许用户创建、编辑和订阅通知。用户无法删除通知规则或管理资源的标签。

{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "StringLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations" ], "Resource": "*" }

有关 IAM 和通知的更多信息,请参阅。AWS CodeStar 通知的 Identity and Access Management.

客户托管的策略示例

本节的用户策略示例介绍如何授予执行 Amazon CodeBuild 操作的权限。当您使用 CodeBuild API 时,可以使用这些策略,Amazon开发工具包,或者Amazon CLI. 当您使用控制台时,您必须授予特定于控制台的其他权限。有关信息,请参阅 使用 Amazon CodeBuild 控制台所需的权限

您可以使用以下示例 IAM 策略来限制 IAM 用户和角色对 CodeBuild 的访问。

允许用户获取有关构建项目的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取任何以名称 my 开头的构建项目的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户获取有关报告组的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告组的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetReportGroups", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户获取有关报告的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetReports", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户创建构建项目

以下示例策略语句允许用户创建使用任何名称的构建项目,但只能在us-east-2账户的区域123456789012并且仅使用指定的 CodeBuild 服务角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole" } ] }

允许用户创建报告组

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中创建报告组:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户删除报告组

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中删除报告组:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户删除报告

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中删除报告:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteReport", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户删除构建项目

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中删除任何以名称 my 开头的构建项目:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户获取构建项目名称的列表

以下示例策略语句允许用户获取同一账户的构建项目名称的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListProjects", "Resource": "*" } ] }

允许用户更改有关构建项目的信息

以下示例策略语句仅允许用户在 123456789012 账户的 us-east-2 区域中更改有关使用任何名称的构建项目的信息,并且只能使用指定的 Amazon CodeBuild 服务角色:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole" } ] }

允许用户更改报告组

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中更改报告组:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户获取有关构建的信息

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取名为 my-build-projectmy-other-build-project 的构建项目的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetBuilds", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }

允许用户获取构建项目的构建 ID 的列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取名为 my-build-projectmy-other-build-project 的构建项目的构建 ID 列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuildsForProject", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }

允许用户获取构建 ID 的列表

以下示例策略语句允许用户获取同一账户的所有构建 ID 的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuilds", "Resource": "*" } ] }

允许用户获取报告组列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告组的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReportGroups", "Resource": "*" } ] }

允许用户获取报告列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取有关报告的列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReports", "Resource": "*" } ] }

允许用户获取报告组的报告列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取报告组的报告列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReportsForReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户获取报告的测试用例的列表

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中获取报告的测试用例列表:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DescribeTestCases", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }

允许用户开始运行构建

以下示例策略语句允许用户在 123456789012 账户的 us-east-2 区域中运行任何以名称 my 开头的构建项目:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StartBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户尝试停止构建

以下示例策略语句仅允许用户在 123456789012 账户的 us-east-2 区域中尝试停止任何以名称 my 开头的运行中构建项目:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StopBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户尝试删除构建

以下示例策略语句仅允许用户在 123456789012 账户的 us-east-2 区域中尝试为任何以名称 my 开头的构建项目删除构建:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchDeleteBuilds", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }

允许用户获取有关由 CodeBuild 管理的 Docker 映像的信息

以下示例策略语句允许用户获取有关由 CodeBuild 管理的所有 Docker 镜像的信息:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListCuratedEnvironmentImages", "Resource": "*" } ] }

允许 CodeBuild 访问Amazon创建 VPC 网络接口时所需的服务

以下示例策略语句向 Amazon CodeBuild 授予在一个包含两个子网的 VPC 中创建网络接口的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:region:account-id:network-interface/*", "Condition": { "StringEquals": { "ec2:AuthorizedService": "codebuild.amazonaws.com" }, "ArnEquals": { "ec2:Subnet": [ "arn:aws:ec2:region:account-id:subnet/subnet-id-1", "arn:aws:ec2:region:account-id:subnet/subnet-id-2" ] } } } ] }

使用 Deny 语句可阻止 Amazon CodeBuild 与源提供程序断开连接

以下示例策略语句使用 Deny 语句阻止 Amazon CodeBuild 与源提供程序断开连接。它使用 codebuild:DeleteOAuthTokencodebuild:PersistOAuthTokencodebuild:ImportSourceCredentials 的倒数)连接到源提供程序。有关更多信息,请参阅Amazon CodeBuild 控制台连接到源提供程序所需的权限

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "codebuild:DeleteOAuthToken", "Resource": "*" } ] }