Using IAM Roles on the AWS CodeBuild Desktop

Question

Using IAM Roles on the AWS CodeBuild Desktop

Is there a way to provide IAM instance roles for use by the build process?

In my specific case, I need to perform some s3 operations during build (not related to archiving artifacts).

So far, the only alternative I have found is to add the aws key and the secret to the environment variables on the aws codebuild configuration page.

It would be safer to simply attach the IAM role to the ec2 instance or container that is building. Is this currently possible (2016-12)?

+7

amazon-web-services aws-codepipeline aws-codebuild

Daniel Sperry Dec 9 '16 at 15:49

source share

1 answer

Bri · Accepted Answer · 2016-12-09T17:09:20+0000

You should be able to attach any additional policy permissions to the service role created for your build project. CodeBuild uses this policy during assembly to perform actions within the assembly instance.

For example, if you want to remove an object from S3 during build, you need to add the following statement to your role policy:

{ "Effect": "Allow", "Resource": [ "*" ], "Action": [ "s3:DeleteObject" ] }

Note You can restrict these permissions to specific resources, the above example allows DeleteObject anything in your account.

If you used the first run wizard in the CodeBuild console to configure your project, you should already have policies in your service for s3: GetObject and s3: GetObjectVersion. The default service role name when creating through the console is "codebuild- [project name] -service-role".

Using IAM Roles on the AWS CodeBuild Desktop

More articles: