Using identity-based policies for Amazon CodeBuild
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform operations on Amazon CodeBuild resources.
Important
We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your CodeBuild resources. For more information, see Overview of managing access permissions to your Amazon CodeBuild resources.
Topics
- Permissions required to use the Amazon CodeBuild console
- Permissions required for Amazon CodeBuild to connect to Amazon Elastic Container Registry
- Permissions required for the Amazon CodeBuild console to connect to source providers
- Amazon managed (predefined) policies for Amazon CodeBuild
- CodeBuild managed policies and notifications
- CodeBuild updates to Amazon managed policies
- Customer-managed policy examples
The following shows an example of a permissions policy that allows a user to get
information about build projects only in the us-east-2
region for account
123456789012
for any build project that starts with the name
my
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }
Permissions required to use the Amazon CodeBuild console
A user who uses the Amazon CodeBuild console must have a minimum set of permissions that allows the user to describe other Amazon resources for the Amazon account. You must have permissions from the following services:
-
Amazon CodeBuild
-
Amazon CloudWatch
-
CodeCommit (if you are storing your source code in an Amazon CodeCommit repository)
-
Amazon Elastic Container Registry (Amazon ECR) (if you are using a build environment that relies on a Docker image in an Amazon ECR repository)
Note
As of July 26, 2022, the default IAM policy has been updated. For more information, see Permissions required for Amazon CodeBuild to connect to Amazon Elastic Container Registry.
-
Amazon Elastic Container Service (Amazon ECS) (if you are using a build environment that relies on a Docker image in an Amazon ECR repository)
-
Amazon Identity and Access Management (IAM)
-
Amazon Key Management Service (Amazon KMS)
-
Amazon Simple Storage Service (Amazon S3)
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended.
Permissions required for Amazon CodeBuild to connect to Amazon Elastic Container Registry
As of July 26, 2022, Amazon CodeBuild has updated its default IAM policy for Amazon ECR permission. The following permissions have been removed from the default policy:
"ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload"
For CodeBuild projects that were created before July 26, 2022, we recommend you update your policy with the following Amazon ECR policy:
"Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ]
For more information on updating your policy, see Allow users to interact with CodeBuild.
Permissions required for the Amazon CodeBuild console to connect to source providers
The Amazon CodeBuild console uses the following API actions to connect to source providers (for example, GitHub repositories).
-
codebuild:ListConnectedOAuthAccounts
-
codebuild:ListRepositories
-
codebuild:PersistOAuthToken
-
codebuild:ImportSourceCredentials
You can associate source providers (such as GitHub repositories) with your build projects using the Amazon CodeBuild console. To do this, you must first add the preceding API actions to IAM access policies associated with the user you use to access the Amazon CodeBuild console.
The ListConnectedOAuthAccounts
, ListRepositories
, and
PersistOAuthToken
API actions are not intended to be called by your
code. Therefore, these API actions are not included in the Amazon CLI and Amazon
SDKs.
Amazon managed (predefined) policies for Amazon CodeBuild
Amazon addresses many common use cases by providing standalone IAM policies that are created and
administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so
you can avoid having to investigate what permissions are needed. The managed policies for CodeBuild also
provide permissions to perform operations in other services, such as IAM, Amazon CodeCommit,Amazon EC2, Amazon ECR,
Amazon SNS, and Amazon CloudWatch Events, as required for the responsibilities for the users who have been granted the
policy in question. For example, the AWSCodeBuildAdminAccess
policy is
an administrative-level user policy that allows users with this policy to create and manage CloudWatch
Events rules for project builds and Amazon SNS topics for notifications about project-related events
(topics whose names are prefixed with arn:aws:codebuild:
), as well as administer projects
and report groups in CodeBuild. For more information, see Amazon Managed
Policies in the IAM User Guide.
The following Amazon managed policies, which you can attach to users in your account, are specific to Amazon CodeBuild.
- AWSCodeBuildAdminAccess
-
Provides full access to CodeBuild including permissions to administrate CodeBuild build projects.
- AWSCodeBuildDeveloperAccess
-
Provides access to CodeBuild but does not allow build project administration.
- AWSCodeBuildReadOnlyAccess
-
Provides read-only access to CodeBuild.
To access build output artifacts that CodeBuild creates, you must also attach the
Amazon managed policy named AmazonS3ReadOnlyAccess
.
To create and manage CodeBuild service roles, you must also attach the Amazon managed
policy named IAMFullAccess
.
You can also create your own custom IAM policies to allow permissions for CodeBuild actions and resources. You can attach these custom policies to the users or groups that require those permissions.
AWSCodeBuildAdminAccess
The AWSCodeBuildAdminAccess
policy provides full access to CodeBuild,
including permissions to administer CodeBuild build projects. Apply this policy only
to administrative-level users to grant them full control over CodeBuild projects,
report groups, and related resources in your Amazon account, including the
ability to delete projects and report groups.
The AWSCodeBuildAdminAccess
policy contains the following
policy statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSServicesAccess",
"Action": [
"codebuild:*",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetRepository",
"codecommit:ListBranches",
"codecommit:ListRepositories",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ecr:DescribeRepositories",
"ecr:ListImages",
"elasticfilesystem:DescribeFileSystems",
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListTargetsByRule",
"events:ListRuleNamesByTarget",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"logs:GetLogEvents",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CWLDeleteLogGroupAccess",
"Action": [
"logs:DeleteLogGroup"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:log-group:/aws/codebuild/*:log-stream:*"
},
{
"Sid": "SSMParameterWriteAccess",
"Effect": "Allow",
"Action": [
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*"
},
{
"Sid": "SSMStartSessionAccess",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "arn:aws:ecs:*:*:task/*/*"
},
{
"Sid": "CodeStarConnectionsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:CreateConnection",
"codestar-connections:DeleteConnection",
"codestar-connections:UpdateConnectionInstallation",
"codestar-connections:TagResource",
"codestar-connections:UntagResource",
"codestar-connections:ListConnections",
"codestar-connections:ListInstallationTargets",
"codestar-connections:ListTagsForResource",
"codestar-connections:GetConnection",
"codestar-connections:GetIndividualAccessToken",
"codestar-connections:GetInstallationUrl",
"codestar-connections:PassConnection",
"codestar-connections:StartOAuthHandshake",
"codestar-connections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*",
"arn:aws:codeconnections:*:*:connection/*"
]
},
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:DeleteNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*:*:project/*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsSNSTopicCreateAccess",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:*:*:codestar-notifications*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
]
}
AWSCodeBuildDeveloperAccess
The AWSCodeBuildDeveloperAccess
policy allows access to all of
the functionality of CodeBuild and project and report group-related resources. This
policy does not allow users to delete CodeBuild projects or report groups, or
related resources in other Amazon services, such as CloudWatch Events. We recommend that you
apply this policy to most users.
The AWSCodeBuildDeveloperAccess
policy contains the
following policy statement:
{
"Statement": [
{
"Sid": "AWSServicesAccess",
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:StartBuildBatch",
"codebuild:StopBuildBatch",
"codebuild:RetryBuild",
"codebuild:RetryBuildBatch",
"codebuild:BatchGet*",
"codebuild:GetResourcePolicy",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:List*",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetRepository",
"codecommit:ListBranches",
"cloudwatch:GetMetricStatistics",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:ListRuleNamesByTarget",
"logs:GetLogEvents",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "SSMParameterWriteAccess",
"Effect": "Allow",
"Action": [
"ssm:PutParameter"
],
"Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*"
},
{
"Sid": "SSMStartSessionAccess",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "arn:aws:ecs:*:*:task/*/*"
},
{
"Sid": "CodeStarConnectionsUserAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*",
"arn:aws:codeconnections:*:*:connection/*"
]
},
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*:*:project/*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource"
],
"Resource": "*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}
AWSCodeBuildReadOnlyAccess
The AWSCodeBuildReadOnlyAccess
policy grants read-only access to
CodeBuild and related resources in other Amazon services. Apply this policy to users
who can view and run builds, view projects, and view report groups, but cannot
make any changes to them.
The AWSCodeBuildReadOnlyAccess
policy contains the
following policy statement:
{
"Statement": [
{
"Sid": "AWSServicesAccess",
"Action": [
"codebuild:BatchGet*",
"codebuild:GetResourcePolicy",
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetRepository",
"cloudwatch:GetMetricStatistics",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:ListRuleNamesByTarget",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsUserAccess",
"Effect": "Allow",
"Action": [
"codestar-connections:ListConnections",
"codestar-connections:GetConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*",
"arn:aws:codeconnections:*:*:connection/*"
]
},
{
"Sid": "CodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"codestar-notifications:NotificationsForResource": "arn:aws:codebuild:*:*:project/*"
}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}
CodeBuild managed policies and notifications
CodeBuild supports notifications, which can notify users of important changes to build projects. Managed policies for CodeBuild include policy statements for notification functionality. For more information, see What are notifications?.
Permissions related to notifications in read-only managed policies
The
AWSCodeBuildReadOnlyAccess
managed policy includes the following
statements to allow read-only access to notifications. Users with this managed policy applied can view notifications for resources, but cannot create, manage, or
subscribe to them.
{ "Sid": "CodeStarNotificationsPowerUserAccess", "Effect": "Allow", "Action": [ "codestar-notifications:DescribeNotificationRule" ], "Resource": "*", "Condition" : { "ArnLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*:*:project/*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListEventTypes", "codestar-notifications:ListTargets" ], "Resource": "*" }
Permissions related to notifications in other managed policies
The
AWSCodeBuildDeveloperAccess
managed policy includes the following
statements to allow users to create, edit, and subscribe to notifications. Users cannot
delete notification rules or manage tags for resources.
{ "Sid": "CodeStarNotificationsReadWriteAccess", "Effect": "Allow", "Action": [ "codestar-notifications:CreateNotificationRule", "codestar-notifications:DescribeNotificationRule", "codestar-notifications:UpdateNotificationRule", "codestar-notifications:Subscribe", "codestar-notifications:Unsubscribe" ], "Resource": "*", "Condition" : { "ArnLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*:*:project/*"} } }, { "Sid": "CodeStarNotificationsListAccess", "Effect": "Allow", "Action": [ "codestar-notifications:ListNotificationRules", "codestar-notifications:ListTargets", "codestar-notifications:ListTagsforResource", "codestar-notifications:ListEventTypes" ], "Resource": "*" }, { "Sid": "SNSTopicListAccess", "Effect": "Allow", "Action": [ "sns:ListTopics" ], "Resource": "*" }, { "Sid": "CodeStarNotificationsChatbotAccess", "Effect": "Allow", "Action": [ "chatbot:DescribeSlackChannelConfigurations", "chatbot:ListMicrosoftTeamsChannelConfigurations" ], "Resource": "*" }
For more information about IAM and notifications, see Identity and Access Management for AWS CodeStar Notifications.
CodeBuild updates to Amazon managed policies
View details about updates to Amazon managed policies for CodeBuild since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on Amazon CodeBuild User Guide document history .
Change | Description | Date |
---|---|---|
|
CodeBuild updated a resource to these policies. The |
November 15, 2024 |
|
CodeBuild added a resource to these policies to support the Amazon CodeConnections rebranding. The |
April 18, 2024 |
|
CodeBuild added a permission to these policies to support an additional notification type using Amazon Chatbot. The |
May 16, 2023 |
CodeBuild started tracking changes |
CodeBuild started tracking changes for its Amazon managed policies. |
May 16, 2021 |
Customer-managed policy examples
In this section, you can find example user policies that grant permissions for Amazon CodeBuild actions. These policies work when you are using the CodeBuild API, Amazon SDKs, or Amazon CLI. When you are using the console, you must grant additional, console-specific permissions. For information, see Permissions required to use the Amazon CodeBuild console.
You can use the following sample IAM policies to limit CodeBuild access for your users and roles.
Topics
- Allow a user to get information about build projects
- Allow a user to get information about fleets
- Allow a user to get information about report groups
- Allow a user to get information about reports
- Allow a user to create build projects
- Allow a user to create a fleet
- Allow a user to create a report group
- Allow a user to delete a fleet
- Allow a user to delete a report group
- Allow a user to delete a report
- Allow a user to delete build projects
- Allow a user to get a list of build project names
- Allow a user to change information about build projects
- Allow a user to change a fleet
- Allow a user to change a report group
- Allow a user to get information about builds
- Allow a user to get a list of build IDs for a build project
- Allow a user to get a list of build IDs
- Allow a user to get a list of fleets
- Allow a user to get a list of report groups
- Allow a user to get a list of reports
- Allow a user to get a list of reports for a report group
- Allow a user to get a list of test cases for a report
- Allow a user to start running builds
- Allow a user to attempt to stop builds
- Allow a user to attempt to delete builds
- Allow a user to get information about Docker images that are managed by CodeBuild
- Allow a user to add a permission policy for a fleet service role
- Allow CodeBuild access to Amazon services required to create a VPC network interface
- Use a deny statement to prevent Amazon CodeBuild from disconnecting from source providers
Allow a user to get information about build projects
The following example policy statement allows a user to get information about
build projects in the us-east-2
Region for account
123456789012
for any build project that starts with the
name my
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetProjects", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }
Allow a user to get information about fleets
The following example policy statement allows a user to get information about
fleets in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetFleets", "Resource": "arn:aws:codebuild:us-east-2:123456789012:fleet/*" } ] }
Allow a user to get information about report groups
The following example policy statement allows a user to get information about
report groups in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetReportGroups", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to get information about reports
The following example policy statement allows a user to get information about
reports in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetReports", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to create build projects
The following example policy statement allows a user to create build projects
with any name but only in the us-east-2
Region for account
123456789012
and only using the specified CodeBuild service
role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole" } ] }
The following example policy statement allows a user to create build projects
with any name but only in the us-east-2
Region for account
123456789012
and only using the specified CodeBuild service role.
It also enforces that the user can only use the specified service role
with Amazon CodeBuild and not any other Amazon services.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole", "Condition": { "StringEquals": {"iam:PassedToService": "codebuild.amazonaws.com"} } } ] }}
Allow a user to create a fleet
The following example policy statement allows a user to create a fleet
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateFleet", "Resource": "arn:aws:codebuild:us-east-2:123456789012:fleet/*" } ] }
Allow a user to create a report group
The following example policy statement allows a user to create a report group
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:CreateReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to delete a fleet
The following example policy statement allows a user to delete a fleet in the
us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteFleet", "Resource": "arn:aws:codebuild:us-east-2:123456789012:fleet/*" } ] }
Allow a user to delete a report group
The following example policy statement allows a user to delete a report group
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to delete a report
The following example policy statement allows a user to delete a report in the
us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteReport", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to delete build projects
The following example policy statement allows a user to delete build projects
in the us-east-2
Region for account
123456789012
for any build project that starts with the
name my
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DeleteProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }
Allow a user to get a list of build project names
The following example policy statement allows a user to get a list of build project names for the same account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListProjects", "Resource": "*" } ] }
Allow a user to change information about build projects
The following example policy statement allows a user to change information
about build projects with any name but only in the us-east-2
Region
for account 123456789012
and only using the specified
Amazon CodeBuild service role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateProject", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/CodeBuildServiceRole" } ] }
Allow a user to change a fleet
The following example policy statement allows a user to change a fleet
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateFleet", "Resource": "arn:aws:codebuild:us-east-2:123456789012:fleet/*" } ] }
Allow a user to change a report group
The following example policy statement allows a user to change a report group
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:UpdateReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to get information about builds
The following example policy statement allows a user to get information about
builds in the us-east-2
Region for account
123456789012
for the build projects named
my-build-project
and
my-other-build-project
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchGetBuilds", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }
Allow a user to get a list of build IDs for a build project
The following example policy statement allows a user to get a list of build
IDs in the us-east-2
Region for account
123456789012
for the build projects named
my-build-project
and
my-other-build-project
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuildsForProject", "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-build-project", "arn:aws:codebuild:us-east-2:123456789012:project/my-other-build-project" ] } ] }
Allow a user to get a list of build IDs
The following example policy statement allows a user to get a list of all build IDs for the same account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListBuilds", "Resource": "*" } ] }
Allow a user to get a list of fleets
The following example policy statement allows a user to get a list of fleets
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListFleets", "Resource": "*" } ] }
Allow a user to get a list of report groups
The following example policy statement allows a user to get a list of report
groups in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReportGroups", "Resource": "*" } ] }
Allow a user to get a list of reports
The following example policy statement allows a user to get a list of reports
in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReports", "Resource": "*" } ] }
Allow a user to get a list of reports for a report group
The following example policy statement allows a user to get a list of reports
for a report group in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListReportsForReportGroup", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to get a list of test cases for a report
The following example policy statement allows a user to get a list of test
cases for a report in the us-east-2
Region for account
123456789012
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:DescribeTestCases", "Resource": "arn:aws:codebuild:us-east-2:123456789012:report-group/*" } ] }
Allow a user to start running builds
The following example policy statement allows a user to run builds in the
us-east-2
Region for account 123456789012
for a build project that starts with the name my
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StartBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }
Allow a user to attempt to stop builds
The following example policy statement allows a user to attempt to stop
running builds only in the us-east-2
region for account
123456789012
for any build project that starts with the
name my
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:StopBuild", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }
Allow a user to attempt to delete builds
The following example policy statement allows a user to attempt to delete
builds only in the us-east-2
Region for account
123456789012
for any build project that starts with the
name my
:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:BatchDeleteBuilds", "Resource": "arn:aws:codebuild:us-east-2:123456789012:project/my*" } ] }
Allow a user to get information about Docker images that are managed by CodeBuild
The following example policy statement allows a user to get information about all Docker images that are managed by CodeBuild:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "codebuild:ListCuratedEnvironmentImages", "Resource": "*" } ] }
Allow a user to add a permission policy for a fleet service role
The following example resource policy statement allows a user to add a VPC permission policy for a fleet service role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeBuildFleetVpcCreateNI", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:
region
:account-id
:subnet/subnet-id-1", "arn:aws:ec2:region
:account-id
:security-group/security-group-id-1", "arn:aws:ec2:region
:account-id
:network-interface/*" ] }, { "Sid": "CodeBuildFleetVpcPermission", "Effect": "Allow", "Action": [ "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface" ], "Resource": "*" }, { "Sid": "CodeBuildFleetVpcNIPermission", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:region
:account-id
:network-interface/*", "Condition": { "StringEquals": { "ec2:Subnet": [ "arn:aws:ec2:region
:account-id
:subnet/subnet-id-1" ] } } } ] }
The following example resource policy statement allows a user to add a custom Amazon Managed Image (AMI) permission policy for a fleet service role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeImages", "Resource": "*" } ] }
The following example trust policy statement allows a user to add a permission policy for a fleet service role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeBuildFleetVPCTrustPolicy", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
account-id
" } } } ] }
Allow CodeBuild access to Amazon services required to create a VPC network interface
The following example policy statement grants Amazon CodeBuild permission to create a network interface in a VPC with two subnets:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission" ], "Resource": "arn:aws:ec2:
region
:account-id
:network-interface/*", "Condition": { "StringEquals": { "ec2:AuthorizedService": "codebuild.amazonaws.com" }, "ArnEquals": { "ec2:Subnet": [ "arn:aws:ec2:region
:account-id
:subnet/subnet-id-1", "arn:aws:ec2:region
:account-id
:subnet/subnet-id-2" ] } } } ] }
Use a deny statement to prevent Amazon CodeBuild from disconnecting from source providers
The following example policy statement uses a deny statement to prevent
Amazon CodeBuild from disconnecting from source providers. It uses
codebuild:DeleteOAuthToken
, which is the inverse of
codebuild:PersistOAuthToken
and
codebuild:ImportSourceCredentials
, to connect with source
providers. For more information, see Permissions required for the Amazon CodeBuild console to
connect to source providers.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "codebuild:DeleteOAuthToken", "Resource": "*" } ] }