Test report permissions
This topic describes important information about permissions related to test reporting.
Topics
IAM role for test reports
To run a test report, and to update a project to include test reports, your IAM role requires the following permissions. These permissions are included in the predefined Amazon managed policies. If you want to add test reporting to an existing build project, you must add these permissions yourself.
-
CreateReportGroup
-
CreateReport
-
UpdateReport
-
BatchPutTestCases
To run a code coverage report, your IAM role must also include the
BatchPutCodeCoverages
permission.
Note
BatchPutTestCases
, CreateReport
,
UpdateReport
, and BatchPutCodeCoverages
are not
public permissions. You cannot call a corresponding Amazon CLI command or SDK method
for these permissions.
To make sure you have these permissions, you can attach the following policy to your IAM role:
{ "Effect": "Allow", "Resource": [ "*" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }
We recommend that you restrict this policy to only those report groups you must use. The following restricts permissions to only the report groups with the two ARNs in the policy:
{ "Effect": "Allow", "Resource": [ "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-1", "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-2" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }
The following restricts permissions to only report groups created by running
builds of a project named my-project
:
{ "Effect": "Allow", "Resource": [ "arn:aws:codebuild:your-region:your-aws-account-id:report-group/my-project-*" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }
Note
The CodeBuild service role specified in the project is used for permissions to upload to the S3 bucket.
Permissions for test reporting operations
You can specify permissions for the following test reporting CodeBuild API operations:
-
BatchGetReportGroups
-
BatchGetReports
-
CreateReportGroup
-
DeleteReportGroup
-
DeleteReport
-
DescribeTestCases
-
ListReportGroups
-
ListReports
-
ListReportsForReportGroup
-
UpdateReportGroup
For more information, see Amazon CodeBuild permissions reference.
Test reporting permissions examples
For information about sample policies related to test reporting, see the following: