Key management - Amazon CodeBuild
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Key management

You can protect your content from unauthorized use through encryption. Store your encryption keys in Amazon Secrets Manager, and then give the CodeBuild service role associated with the build project permission to obtain the encryption keys from your Secrets Manager account. For more information, see Create and configure a customer managed key for CodeBuild, Create a build project in Amazon CodeBuild, Run a build in Amazon CodeBuild, and Tutorial: Storing and retrieving a secret.

Use the CODEBUILD_KMS_KEY_ID environment variable in a build command to obtain the Amazon KMS key identifier. For more information, see Environment variables in build environments.

You can use Secrets Manager to protect credentials to a private registry that stores a Docker image used for your runtime environment. For more information, see Private registry with Amazon Secrets Manager sample for CodeBuild.