AWS CodeBuild permissions reference - AWS CodeBuild (original) (raw)

You can use AWS-wide condition keys in your AWS CodeBuild policies to express conditions. For a list, see Available Keys in the IAM User Guide.

You specify the actions in the policy's Action field. To specify an action, use the codebuild: prefix followed by the API operation name (for example, codebuild:CreateProject andcodebuild:StartBuild). To specify multiple actions in a single statement, separate them with commas (for example, "Action": [ "codebuild:CreateProject", "codebuild:StartBuild" ]).

Using Wildcard Characters

You specify an ARN, with or without a wildcard character (*), as the resource value in the policy's Resource field. You can use a wildcard to specify multiple actions or resources. For example, codebuild:* specifies all CodeBuild actions and codebuild:Batch* specifies all CodeBuild actions that begin with the wordBatch. The following example grants access to all build project with names that begin with my:

arn:aws:codebuild:us-east-2:123456789012:project/my*

CodeBuild API operations and required permissions for actions

BatchDeleteBuilds

Action: codebuild:BatchDeleteBuilds

Required to delete builds.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

BatchGetBuilds

Action: codebuild:BatchGetBuilds

Required to get information about builds.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

BatchGetProjects

Action: codebuild:BatchGetProjects

Required to get information about build projects.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

BatchGetReportGroups

Action: codebuild:BatchGetReportGroups

Required to get information about report groups.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

BatchGetReports

Action: codebuild:BatchGetReports

Required to get information about reports.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

BatchPutTestCases ¹

Action: codebuild:BatchPutTestCases

Required to create or update a test report.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

CreateProject

Actions: codebuild:CreateProject,iam:PassRole

Required to create build projects.

Resources:

• arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`
• arn:aws:iam::`account-ID`:role/`role-name`

CreateReport ¹

Action: codebuild:CreateReport

Required to create a test report.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

CreateReportGroup

Action: codebuild:CreateReportGroup

Required to create a report group.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

CreateWebhook

Action: codebuild:CreateWebhook

Required to create a webhook.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

DeleteProject

Action: codebuild:DeleteProject

Required to delete a CodeBuild project.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

DeleteReport

Action: codebuild:DeleteReport

Required to delete a report.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

DeleteReportGroup

Action: codebuild:DeleteReportGroup

Required to delete a report group.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

DeleteSourceCredentials

Action: codebuild:DeleteSourceCredentials

Required to delete a set of SourceCredentialsInfo objects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.

Resource: *

DeleteWebhook

Action: codebuild:DeleteWebhook

Required to create a webhook.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

DescribeTestCases

Action: codebuild:DescribeTestCases

Required to return a paginated list of test cases.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

ImportSourceCredentials

Action: codebuild:ImportSourceCredentials

Required to import a set of SourceCredentialsInfo objects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.

Resource: *

InvalidateProjectCache

Action: codebuild:InvalidateProjectCache

Required to reset the cache for a project.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

ListBuildBatches

Action: codebuild:ListBuildBatches

Required to get a list of build batch IDs.

Resource: *

ListBuildBatchesForProject

Action: codebuild:ListBuildBatchesForProject

Required to get a list of build batch IDs for a specific project.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

ListBuilds

Action: codebuild:ListBuilds

Required to get a list of build IDs.

Resource: *

ListBuildsForProject

Action: codebuild:ListBuildsForProject

Required to get a list of build IDs for a build project.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

ListCuratedEnvironmentImages

Action: codebuild:ListCuratedEnvironmentImages

Required to get information about all Docker images that are managed by AWS CodeBuild.

Resource: * (required, but does not refer to an addressable AWS resource)

ListProjects

Action: codebuild:ListProjects

Required to get a list of build project names.

Resource: *

ListReportGroups

Action: codebuild:ListReportGroups

Required to get a list of report groups.

Resource: *

ListReports

Action: codebuild:ListReports

Required to get a list of reports.

Resource: *

ListReportsForReportGroup

Action: codebuild:ListReportsForReportGroup

Required to get a list of reports for a report group.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

RetryBuild

Action: codebuild:RetryBuild

Required to retry builds.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

StartBuild

Action: codebuild:StartBuild

Required to start running builds.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

StopBuild

Action: codebuild:StopBuild

Required to attempt to stop running builds.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

UpdateProject

Actions: codebuild:UpdateProject,iam:PassRole

Required to change information about builds.

Resources:

• arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`
• arn:aws:iam::`account-ID`:role/`role-name`

UpdateProjectVisibility

Actions: codebuild:UpdateProjectVisibility, iam:PassRole

Required to change the public visibility of a project's builds.

Resources:

• arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`
• arn:aws:iam::`account-ID`:role/`role-name`

UpdateReport ¹

Action: codebuild:UpdateReport

Required to create or update a test report.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

UpdateReportGroup

Action: codebuild:UpdateReportGroup

Required to update a report group.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:report-group/`report-group-name`

UpdateWebhook

Action: codebuild:UpdateWebhook

Required to update a webhook.

Resource: arn:aws:codebuild:`region-ID`:`account-ID`:project/`project-name`

¹ Used for permission only. There is no API for this action.