AWS CodeBuild permissions reference
You can use AWS-wide condition keys in your AWS CodeBuild policies to express conditions. For a list, see Available Keys in the IAM User Guide.
You specify the actions in the policy's Action field. To specify an
action, use the codebuild: prefix followed by the API operation name (for
example, codebuild:CreateProject and
codebuild:StartBuild). To specify multiple actions in a single
statement, separate them with commas (for example, "Action": [
"codebuild:CreateProject", "codebuild:StartBuild" ]).
Using Wildcard Characters
You specify an ARN, with or without a wildcard character (*), as the resource value in
the policy's Resource field. You can use a wildcard to specify multiple
actions or resources. For example, codebuild:* specifies all CodeBuild actions
and codebuild:Batch* specifies all CodeBuild actions that begin with the word
Batch. The following example grants access to all build project with
names that begin with my:
arn:aws:codebuild:us-east-2:123456789012:project/my*CodeBuild API operations and required permissions for actions
- BatchDeleteBuilds
-
Action:
codebuild:BatchDeleteBuildsRequired to delete builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - BatchGetBuilds
-
Action:
codebuild:BatchGetBuildsRequired to get information about builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - BatchGetProjects
-
Action:
codebuild:BatchGetProjectsRequired to get information about build projects.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - BatchGetReportGroups
-
Action:
codebuild:BatchGetReportGroupsRequired to get information about report groups.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - BatchGetReports
-
Action:
codebuild:BatchGetReportsRequired to get information about reports.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - BatchPutTestCases 1
-
Action:
codebuild:BatchPutTestCasesRequired to create or update a test report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - CreateProject
-
Actions:
codebuild:CreateProject,iam:PassRoleRequired to create build projects.
Resources:
-
arn:aws:codebuild:region-ID:account-ID:project/project-name -
arn:aws:iam::account-ID:role/role-name
-
- CreateReport 1
-
Action:
codebuild:CreateReportRequired to create a test report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - CreateReportGroup
-
Action:
codebuild:CreateReportGroupRequired to create a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - CreateWebhook
-
Action:
codebuild:CreateWebhookRequired to create a webhook.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - DeleteProject
-
Action:
codebuild:DeleteProjectRequired to delete a CodeBuild project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - DeleteReport
-
Action:
codebuild:DeleteReportRequired to delete a report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - DeleteReportGroup
-
Action:
codebuild:DeleteReportGroupRequired to delete a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - DeleteSourceCredentials
-
Action:
codebuild:DeleteSourceCredentialsRequired to delete a set of
SourceCredentialsInfoobjects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.Resource:
* - DeleteWebhook
-
Action:
codebuild:DeleteWebhookRequired to create a webhook.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - DescribeTestCases
-
Action:
codebuild:DescribeTestCasesRequired to return a paginated list of test cases.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - ImportSourceCredentials
-
Action:
codebuild:ImportSourceCredentialsRequired to import a set of
SourceCredentialsInfoobjects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.Resource:
* - InvalidateProjectCache
-
Action:
codebuild:InvalidateProjectCacheRequired to reset the cache for a project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - ListBuildBatches
-
Action:
codebuild:ListBuildBatchesRequired to get a list of build batch IDs.
Resource:
* - ListBuildBatchesForProject
-
Action:
codebuild:ListBuildBatchesForProjectRequired to get a list of build batch IDs for a specific project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - ListBuilds
-
Action:
codebuild:ListBuildsRequired to get a list of build IDs.
Resource:
* - ListBuildsForProject
-
Action:
codebuild:ListBuildsForProjectRequired to get a list of build IDs for a build project.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - ListCuratedEnvironmentImages
-
Action:
codebuild:ListCuratedEnvironmentImagesRequired to get information about all Docker images that are managed by AWS CodeBuild.
Resource:
*(required, but does not refer to an addressable AWS resource) - ListProjects
-
Action:
codebuild:ListProjectsRequired to get a list of build project names.
Resource:
* - ListReportGroups
-
Action:
codebuild:ListReportGroupsRequired to get a list of report groups.
Resource:
* - ListReports
-
Action:
codebuild:ListReportsRequired to get a list of reports.
Resource:
* - ListReportsForReportGroup
-
Action:
codebuild:ListReportsForReportGroupRequired to get a list of reports for a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - RetryBuild
-
Action:
codebuild:RetryBuildRequired to retry builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - StartBuild
-
Action:
codebuild:StartBuildRequired to start running builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - StopBuild
-
Action:
codebuild:StopBuildRequired to attempt to stop running builds.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name - UpdateProject
-
Actions:
codebuild:UpdateProject,iam:PassRoleRequired to change information about builds.
Resources:
-
arn:aws:codebuild:region-ID:account-ID:project/project-name -
arn:aws:iam::account-ID:role/role-name
-
- UpdateProjectVisibility
-
Actions:
codebuild:UpdateProjectVisibility,iam:PassRoleRequired to change the public visibility of a project's builds.
Resources:
-
arn:aws:codebuild:region-ID:account-ID:project/project-name -
arn:aws:iam::account-ID:role/role-name
-
- UpdateReport 1
-
Action:
codebuild:UpdateReportRequired to create or update a test report.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - UpdateReportGroup
-
Action:
codebuild:UpdateReportGroupRequired to update a report group.
Resource:
arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name - UpdateWebhook
-
Action:
codebuild:UpdateWebhookRequired to update a webhook.
Resource:
arn:aws:codebuild:region-ID:account-ID:project/project-name
1 Used for permission only. There is no API for this action.
Warning Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.