IAM policies for Amazon CodeBuild
The following example templates show how Amazon Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see IAM Policies for integrated services and Service integration patterns.
Resources:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:sa-east-1:123456789012:StepFunctionsSample-CodeBuildExecution1111-2222-3333-wJalrXUtnFEMI-SNSTopic-bPxRfiCYEXAMPLEKEY"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:BatchGetBuilds",
"codebuild:BatchGetReports"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:sa-east-1:123456789012:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"
],
"Effect": "Allow"
}
]
}StartBuild
Static resources
Dynamic resources
StopBuild
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuild"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuild"
],
"Resource": [
"arn:aws:codebuild:[[region]]:*:project/*"
]
}
]
}BatchDeleteBuilds
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchDeleteBuilds"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchDeleteBuilds"
],
"Resource": [
"arn:aws:codebuild:[[region]]:*:project/*"
]
}
]
}BatchGetReports
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetReports"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:report-group/[[reportName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:BatchGetReports"
],
"Resource": [
"arn:aws:codebuild:[[region]]:*:report-group/*"
]
}
]
}StartBuildBatch
Static resources
Dynamic resources
StopBuildBatch
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StopBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/*"
]
}
]
}RetryBuildBatch
Static resources
Dynamic resources
DeleteBuildBatch
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:DeleteBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/[[projectName]]"
]
}
]
}Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:DeleteBuildBatch"
],
"Resource": [
"arn:aws:codebuild:[[region]]:[[accountId]]:project/*"
]
}
]
}