AWS CodeBuild permissions reference
You can use AWS-wide condition keys in your AWS CodeBuild policies to express conditions. For a list, see Available Keys in the IAM User Guide.
You specify the actions in the policy's Action field. To specify an
action, use the codebuild: prefix followed by the API operation name (for
example, codebuild:CreateProject and
codebuild:StartBuild). To specify multiple actions in a single
statement, separate them with commas (for example, "Action": [
"codebuild:CreateProject", "codebuild:StartBuild" ]).
Using Wildcard Characters
You specify an ARN, with or without a wildcard character (*), as the resource value in
the policy's Resource field. You can use a wildcard to specify multiple
actions or resources. For example, codebuild:* specifies all CodeBuild actions
and codebuild:Batch* specifies all CodeBuild actions that begin with the word
Batch. The following example grants access to all build project with
names that begin with my:
arn:aws:codebuild:us-east-2:123456789012:project/my*CodeBuild API operations and required permissions for actions
- BatchDeleteBuilds
-
Action:
codebuild:BatchDeleteBuildsRequired to delete builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - BatchGetBuilds
-
Action:
codebuild:BatchGetBuildsRequired to get information about builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - BatchGetProjects
-
Action:
codebuild:BatchGetProjectsRequired to get information about build projects.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - BatchGetReportGroups
-
Action:
codebuild:BatchGetReportGroupsRequired to get information about report groups.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - BatchGetReports
-
Action:
codebuild:BatchGetReportsRequired to get information about reports.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - BatchPutTestCases ¹
-
Action:
codebuild:BatchPutTestCasesRequired to create or update a test report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - CreateProject
-
Actions:
codebuild:CreateProject,iam:PassRoleRequired to create build projects.
Resources:
-
arn:aws:codebuild:region-ID:account-ID:project/project-name -
arn:aws:iam::account-ID:role/role-name
-
- CreateReport ¹
-
Action:
codebuild:CreateReportRequired to create a test report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - CreateReportGroup
-
Action:
codebuild:CreateReportGroupRequired to create a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - CreateWebhook
-
Action:
codebuild:CreateWebhookRequired to create a webhook.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - DeleteProject
-
Action:
codebuild:DeleteProjectRequired to delete a CodeBuild project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - DeleteReport
-
Action:
codebuild:DeleteReportRequired to delete a report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - DeleteReportGroup
-
Action:
codebuild:DeleteReportGroupRequired to delete a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - DeleteSourceCredentials
-
Action:
codebuild:DeleteSourceCredentialsRequired to delete a set of
SourceCredentialsInfoobjects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.Resource:
* - DeleteWebhook
-
Action:
codebuild:DeleteWebhookRequired to create a webhook.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - DescribeTestCases
-
Action:
codebuild:DescribeTestCasesRequired to return a paginated list of test cases.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - ImportSourceCredentials
-
Action:
codebuild:ImportSourceCredentialsRequired to import a set of
SourceCredentialsInfoobjects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.Resource:
* - InvalidateProjectCache
-
Action:
codebuild:InvalidateProjectCacheRequired to reset the cache for a project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - ListBuildBatches
-
Action:
codebuild:ListBuildBatchesRequired to get a list of build batch IDs.
Resource:
* - ListBuildBatchesForProject
-
Action:
codebuild:ListBuildBatchesForProjectRequired to get a list of build batch IDs for a specific project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - ListBuilds
-
Action:
codebuild:ListBuildsRequired to get a list of build IDs.
Resource:
* - ListBuildsForProject
-
Action:
codebuild:ListBuildsForProjectRequired to get a list of build IDs for a build project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - ListCuratedEnvironmentImages
-
Action:
codebuild:ListCuratedEnvironmentImagesRequired to get information about all Docker images that are managed by AWS CodeBuild.
Resource:
*(required, but does not refer to an addressable AWS resource) - ListProjects
-
Action:
codebuild:ListProjectsRequired to get a list of build project names.
Resource:
* - ListReportGroups
-
Action:
codebuild:ListReportGroupsRequired to get a list of report groups.
Resource:
* - ListReports
-
Action:
codebuild:ListReportsRequired to get a list of reports.
Resource:
* - ListReportsForReportGroup
-
Action:
codebuild:ListReportsForReportGroupRequired to get a list of reports for a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - RetryBuild
-
Action:
codebuild:RetryBuildRequired to retry builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - StartBuild
-
Action:
codebuild:StartBuildRequired to start running builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - StopBuild
-
Action:
codebuild:StopBuildRequired to attempt to stop running builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - UpdateProject
-
Actions:
codebuild:UpdateProject,iam:PassRoleRequired to change information about builds.
Resources:
-
arn:aws:codebuild:region-ID:account-ID:project/project-name -
arn:aws:iam::account-ID:role/role-name
-
- UpdateProjectVisibility
-
Actions:
codebuild:UpdateProjectVisibility,iam:PassRoleRequired to change the public visibility of a project's builds.
Resources:
-
arn:aws:codebuild:region-ID:account-ID:project/project-name -
arn:aws:iam::account-ID:role/role-name
-
- UpdateReport ¹
-
Action:
codebuild:UpdateReportRequired to create or update a test report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - UpdateReportGroup
-
Action:
codebuild:UpdateReportGroupRequired to update a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - UpdateWebhook
-
Action:
codebuild:UpdateWebhookRequired to update a webhook.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name
¹ Used for permission only. There is no API for this action.
