Using tags to control access to Amazon CodeBuild resources - Amazon CodeBuild
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using tags to control access to Amazon CodeBuild resources

Conditions in IAM policy statements are part of the syntax that you can use to specify permissions to CodeBuild project-based actions. You can create a policy that allows or denies actions on projects based on the tags associated with those projects, and then apply those policies to the IAM groups you configure for managing users. For information about applying tags to a project using the console or Amazon CLI, see Create a build project in Amazon CodeBuild. For information about applying tags using the CodeBuild SDK, see CreateProject and Tags in the CodeBuild API Reference. For information about using tags to control access to Amazon resources, see Controlling Access to Amazon Resources Using Resource Tags in the IAM User Guide.

Example 1: Limit CodeBuild project actions based on resource tags

The following example denies all BatchGetProjects actions on projects tagged with the key Environment with the key value of Production. A user's administrator must attach this IAM policy in addition to the managed user policy to unauthorized users. The aws:ResourceTag condition key is used to control access to resources based on their tags.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codebuild:BatchGetProjects" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:ResourceTag/Environment": "Production" } } } ] }
Example 2: Limit CodeBuild project actions based on request tags

The following policy denies users permission to the CreateProject action if the request contains a tag with the key Environment and the key value Production. In addition, the policy prevents these unauthorized users from modifying projects by using the aws:TagKeys condition key to not allow UpdateProject if the request contains a tag with the key Environment. An administrator must attach this IAM policy in addition to the managed user policy to users who are not authorized to perform these actions. The aws:RequestTag condition key is used to control which tags can be passed in an IAM request

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "codebuild:CreateProject" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:RequestTag/Environment": "Production" } } }, { "Effect": "Deny", "Action": [ "codebuild:UpdateProject" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": ["Environment"] } } } ] }
Example 3: Deny or allow actions on report groups based on resource tags

You can create a policy that allows or denies actions on CodeBuild resources (projects and report groups) based on the Amazon tags associated with those resources, and then apply those policies to the IAM groups you configure for managing users. For example, you can create a policy that denies all CodeBuild actions on any report group with the Amazon tag key Status and the key value of Secret, and then apply that policy to the IAM group you created for general developers (Developers). You then need to make sure that the developers working on those tagged report groups are not members of that general Developers group, but belong instead to a different IAM group that does not have the restrictive policy applied (SecretDevelopers).

The following example denies all CodeBuild actions on report groups tagged with the key Status and the key value of Secret:

{ "Version": "2012-10-17", "Statement" : [ { "Effect" : "Deny", "Action" : [ "codebuild:BatchGetReportGroups," "codebuild:CreateReportGroup", "codebuild:DeleteReportGroup", "codebuild:ListReportGroups", "codebuild:ListReportsForReportGroup", "codebuild:UpdateReportGroup" ] "Resource" : "*", "Condition" : { "StringEquals" : "aws:ResourceTag/Status": "Secret" } } ] }
Example 4: Limit CodeBuild actions to AWSCodeBuildDeveloperAccess based on resource tags

You can create policies that allow CodeBuild actions on all report groups and projects that are not tagged with specific tags. For example, the following policy allows the equivalent of AWSCodeBuildDeveloperAccess permissions for all report groups and projects except those tagged with the specified tags:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", "codebuild:BatchGet*", "codebuild:GetResourcePolicy", "codebuild:DescribeTestCases", "codebuild:List*", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetRepository", "codecommit:ListBranches", "cloudwatch:GetMetricStatistics", "events:DescribeRule", "events:ListTargetsByRule", "events:ListRuleNamesByTarget", "logs:GetLogEvents", "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:ResourceTag/Status": "Secret", "aws:ResourceTag/Team": "Saanvi" } } } ] }