Amazon CodeBuild condition keys
Amazon CodeBuild provides a set of condition keys that you can use in IAM policies to enforce your organizational policies on CodeBuild resources such as projects and fleets. The condition keys cover most of the CodeBuild API request contexts, including network settings, credential configurations and compute restrictions.
Topics
Enforce VPC connectivity settings on your projects and fleets
This policy allows the caller to use the selected VPCs, subnets, and security groups
when creating CodeBuild projects and fleets. For more information about multivalued
context keys, see Single-valued vs. multivalued context keys
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "codebuild:CreateProject", "codebuild:CreateFleet" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "codebuild:vpcConfig.vpcId": [ "vpc-01234567890abcdef", "vpc-abcdef01234567890" ], "codebuild:vpcConfig.subnets": [ "subnet-1234abcd", "subnet-5678abcd" ], "codebuild:vpcConfig.securityGroupIds": [ "sg-12345678abcdefghij", "sg-01234567abcdefghij" ] } } }] }
Prevent unauthorized modifications to project buildspec
This policy does not allow the caller to override the buildspec in the
buildspecOverride field.
Note
The codebuild:source.buildspec condition key supports only the Null
operator to check the existence of the API field. It doesn’t evaluate the content of
the buildspec.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "codebuild:StartBuild", "Resource": "*" }, { "Effect": "Deny", "Action": "codebuild:StartBuild", "Resource": "*", "Condition": { "Null": { "codebuild:source.buildspec": "false" } } }] }
Restrict compute types for your builds
This policy allows creating fleets that can build with only c5.large or
m5.large
compute instance type
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "codebuild:CreateFleet", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "codebuild:computeConfiguration.instanceType": ["c5.large", "m5.large"] } } }] }
Control environment variable settings
This policy allows the caller to override the STAGE environment variable
to be either BETA or GAMMA. It also explicitly denies
overriding STAGE to be PRODUCTION, and denies overriding the
MY_APP_VERSION environment variable. For multiple value context keys,
please see Single-valued vs. multivalued context keys
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codebuild:StartBuild" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "codebuild:environment.environmentVariables/STAGE.value": [ "BETA", "GAMMA" ] } } }, { "Effect": "Deny", "Action": [ "codebuild:StartBuild" ], "Resource": "*", "Condition": { "StringEquals": { "codebuild:environment.environmentVariables/STAGE.value": "PRODUCTION" }, "ForAnyValue:StringEquals": { "codebuild:environment.environmentVariables.name": [ "MY_APP_VERSION" ] } } } ] }
Use variables in condition key names
You can use variables in condition key names like
secondarySources/${sourceIdentifier}.location and
secondaryArtifacts/${artifactIdentifier}.location, where you can
specify your secondary sourcemySecondSource.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateProject", "Resource": "*", "Condition": { "StringEquals": { "codebuild:secondarySources/mySecondSource.location": "my-source-location" } } } ] }
Check the existence of attributes in API requests
CodeBuild supports condition keys to check the existence of some fields in the API request. The policy enforces the VPC requirement when creating or updating projects.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "codebuild:CreateProject", "codebuild:UpdateProject" ], "Resource": "*", "Condition": { "Null": { "codebuild:vpcConfig": "false" } } }] }