IAM policies for Amazon CodeBuild calls in Step Functions
The following example templates show how Amazon Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see How Step Functions generates IAM policies for integrated services and Discover service integration patterns in Step Functions.
Resources:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:sa-east-1:123456789012:StepFunctionsSample-CodeBuildExecution1111-2222-3333-wJalrXUtnFEMI-SNSTopic-bPxRfiCYEXAMPLEKEY"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:BatchGetBuilds",
"codebuild:BatchGetReports"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:sa-east-1:123456789012:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"
],
"Effect": "Allow"
}
]
}StartBuild
Static resources
Dynamic resources
StopBuild
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuild"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuild"
],
"Resource": [
"arn:aws:codebuild:[[region]]:*:project/*"
]
}
]
}BatchDeleteBuilds
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchDeleteBuilds"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchDeleteBuilds"
],
"Resource": [
"arn:aws:codebuild:[[region]]:*:project/*"
]
}
]
}BatchGetReports
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetReports"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:report-group/[[reportName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetReports"
],
"Resource": [
"arn:aws:codebuild:[[region]]:*:report-group/*"
]
}
]
}StartBuildBatch
Static resources
Dynamic resources
StopBuildBatch
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/*"
]
}
]
}RetryBuildBatch
Static resources
Dynamic resources
DeleteBuildBatch
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:DeleteBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:DeleteBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/*"
]
}
]
}