Allow CodeBuild to interact with other Amazon services
If you follow the steps in Getting started using the console to access Amazon CodeBuild for the first time, you most likely do not need the information in this topic. However, as you continue using CodeBuild, you might want to do things such as allow CodeBuild to interact with other Amazon services.
To allow CodeBuild to interact with dependent Amazon services on your behalf, you need an Amazon CodeBuild service role. You can create a CodeBuild service role by using the CodeBuild or Amazon CodePipeline consoles. For information, see:
If you do not plan to use these consoles, this section describes how to create a CodeBuild service role with the IAM console or the Amazon CLI.
Important
CodeBuild uses the service role for all operations that are performed on your behalf. If the role includes permissions that the user shouldn't have, you can unintentionally escalate a user's permissions. Ensure that the role grants least privilege.
The service role described on this page contains a policy that grants the minimum permissions required to use CodeBuild. You may need to add additional permissions, depending on your use case.
To create a CodeBuild service role (console)
Open the IAM console at https://console.amazonaws.cn/iam/
. You should have already signed in to the console by using one of the following:
-
Your Amazon root account. This is not recommended. For more information, see The Amazon Web Services account root user in the user Guide.
-
An administrator user in your Amazon account. For more information, see Creating Your First Amazon Web Services account root user and Group in the user Guide.
-
An user in your Amazon account with permission to perform the following minimum set of actions:
iam:AddRoleToInstanceProfile iam:AttachRolePolicy iam:CreateInstanceProfile iam:CreatePolicy iam:CreateRole iam:GetRole iam:ListAttachedRolePolicies iam:ListPolicies iam:ListRoles iam:PassRole iam:PutRolePolicy iam:UpdateAssumeRolePolicyFor more information, see Overview of IAM Policies in the user Guide.
-
-
In the navigation pane, choose Policies.
-
Choose Create Policy.
-
On the Create Policy page, choose JSON.
-
For the JSON policy, enter the following, and then choose Review Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsPolicy", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" }, { "Sid": "CodeCommitPolicy", "Effect": "Allow", "Action": [ "codecommit:GitPull" ], "Resource": "*" }, { "Sid": "S3GetObjectPolicy", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "*" }, { "Sid": "S3PutObjectPolicy", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "*" }, { "Sid": "ECRPullPolicy", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" }, { "Sid": "ECRAuthPolicy", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "S3BucketIdentity", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": "*" } ] }Note
This policy contains statements that allow access to a potentially large number of Amazon resources. To restrict Amazon CodeBuild to access specific Amazon resources, change the value of the
Resourcearray. For more information, see the security documentation for the Amazon service. -
On the Review Policy page, for Policy Name, enter a name for the policy (for example,
CodeBuildServiceRolePolicy), and then choose Create policy.Note
If you use a different name, be sure to use it throughout this procedure.
-
In the navigation pane, choose Roles.
-
Choose Create role.
-
On the Create role page, with Amazon Service already selected, choose CodeBuild, and then choose Next:Permissions.
-
On the Attach permissions policies page, select CodeBuildServiceRolePolicy, and then choose Next: Review.
-
On the Create role and review page, for Role name, enter a name for the role (for example,
CodeBuildServiceRole), and then choose Create role.
To create a CodeBuild service role (Amazon CLI)
-
Make sure you have configured the Amazon CLI with the Amazon access key and Amazon secret access key that correspond to one of the IAM entities, as described in the previous procedure. For more information, see Getting Set Up with the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.
-
In an empty directory on the local workstation or instance where the Amazon CLI is installed, create two files named
create-role.jsonandput-role-policy.json. If you choose different file names, be sure to use them throughout this procedure.create-role.json:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }Note
We recommend that you use the
aws:SourceAccountandaws:SourceArncondition keys to protect yourself against the confused deputy problem. For example, you can edit the previous trust policy with the following condition blocks. The aws:SourceAccountis the owner of the CodeBuild project and theaws:SourceArnis the CodeBuild project ARN.If you would like to restrict your service role to an Amazon account,
create-role.jsonmight look similar to this:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": [ "account-ID" ] } } } ] }If you would like to restrict your service role to a specific CodeBuild project,
create-role.jsonmight look similar to this:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:codebuild:region-ID:account-ID:project/project-name" } } } ] }Note
If you don't know or haven't decided on a name for your CodeBuild project and want a trust policy restriction on a particular ARN pattern, you can replace that portion of the ARN with a wildcard (*). After you create your project, you can then update the trust policy.
put-role-policy.json:{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchLogsPolicy", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" }, { "Sid": "CodeCommitPolicy", "Effect": "Allow", "Action": [ "codecommit:GitPull" ], "Resource": "*" }, { "Sid": "S3GetObjectPolicy", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "*" }, { "Sid": "S3PutObjectPolicy", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "*" }, { "Sid": "S3BucketIdentity", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": "*" } ] }Note
This policy contains statements that allow access to a potentially large number of Amazon resources. To restrict Amazon CodeBuild to access specific Amazon resources, change the value of the
Resourcearray. For more information, see the security documentation for the Amazon service. -
Switch to the directory where you saved the preceding files, and then run the following two commands, one at a time, in this order. You can use different values for
CodeBuildServiceRoleandCodeBuildServiceRolePolicy, but be sure to use them here.aws iam create-role --role-name CodeBuildServiceRole --assume-role-policy-document file://create-role.jsonaws iam put-role-policy --role-name CodeBuildServiceRole --policy-name CodeBuildServiceRolePolicy --policy-document file://put-role-policy.json