chrismitchellonline

Create a Reusable IAM Role for AWS CodeBuild

2020-11-09

In this article we show how to create a reusable CodeBuild IAM role that can be used with all new CodeBuild Projects.

Update: This article was updated on December 17th, 2020 to address an error in code examples that included a hard coded AWS account ID.

CodeBuild IAM Requirements

Typically a CodeBuild project will require access to a limited set of AWS resources including CodeBuild, S3, and Cloudwatch logs. The following IAM permission set will create a role that has these default permissions and will be suitable to reuse in any new CodeBuild projects.

IAM Trusted Entity

To create our IAM role for CodeBuild to use, first we must define a trusted entity for the role. A trusted entity allows a service to use this IAM role. For CodeBuild this is what our trusted entity looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Save this in a file named trusted-entity.json to use with our CLI command later.

IAM Permissions

Now we can define our permissions that our CodeBuild stack needs. This set of permissions is designed to fit most needs when using CodeBuild, but best security practices dictate that your roles must limit access to only the resources you need. Modify these permissions to match your access needs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:your-region:your-aws-account-id:log-group:/aws/codebuild/*"
            ],
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",            
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:CreateReportGroup",
                "codebuild:CreateReport",
                "codebuild:UpdateReport",
                "codebuild:BatchPutTestCases",
                "codebuild:BatchPutCodeCoverages"
            ],
            "Resource": [
                "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-1"
            ]
        }
    ]
}

You will need to update the Resource section replacing your region and your aws account ID to apply permissions specifically to your account.Save this in a file called user-policy.json to use with the AWS CLI later.

Create IAM Role

First we’ll create our role with the AWS CLI using our trusted entity document. Then attach our user permissions.

To create a new role named CodeBuildRole run the following AWS CLI command:

aws iam create-role --role-name CodeBuildRole --assume-role-policy-document file://trusted-entity.json

A successful call will return a JSON document describing your new role.

Attach Permissions

With our newly created role we can now attach our permission policy. I’ve called this policy CodeBuildPolicy:

aws iam put-role-policy --role-name CodeBuildRole --policy-name CodeBuildPolicy --policy-document file://user-policy.json

A successful call will be an empty response.

Conclusion

You should now be able to easily create a single CodeBuild project IAM role with the AWS CLI. This role should be reusable for all new CodeBuild projects. Questions or comments about this process? Drop a line in the comments below.

comments powered by Disqus
Social Media
Sponsor