# Identity and access management in AWS CodeBuild
Access to AWS CodeBuild requires credentials. Those credentials must have permissions to access AWS resources, such as storing and retrieving build artifacts in S3 buckets and viewing Amazon CloudWatch Logs for builds. The following sections describe how you can use [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) (IAM) and CodeBuild to help secure access to your resources:
# Overview of managing access permissions to your AWS CodeBuild resources
Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).
**Note**
An account administrator (or administrator user) is a user with administrator privileges. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
When you grant permissions, you decide who is getting the permissions, the resources they can access, and the actions that can be performed on those resources.
**Topics**
+ [AWS CodeBuild resources and operations](#arn-formats)
+ [Understanding resource ownership](#understanding-resource-ownership)
+ [Managing access to resources](#managing-access-resources)
+ [Specifying policy elements: Actions, effects, and principals](#actions-effects-principals)
## AWS CodeBuild resources and operations
In AWS CodeBuild, the primary resource is a build project. In a policy, you use an Amazon Resource Name (ARN) to identify the resource the policy applies to. Builds are also resources and have ARNs associated with them. For more information, see [Amazon Resource Names (ARN) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *Amazon Web Services General Reference*.
| Resource type | ARN format |
| --- | --- |
| Build project | `arn:aws:codebuild:region-ID:account-ID:project/project-name` |
| Build | `arn:aws:codebuild:region-ID:account-ID:build/build-ID` |
| Report group | arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name |
| Report | arn:aws:codebuild:region-ID:account-ID:report/report-ID |
| Fleet | `arn:aws:codebuild:region-ID:account-ID:fleet/fleet-ID` |
| All CodeBuild resources | `arn:aws:codebuild:*` |
| All CodeBuild resources owned by the specified account in the specified AWS Region | `arn:aws:codebuild:region-ID:account-ID:*` |
**Important**
When using the reserved capacity feature, data cached on fleet instances, including source files, Docker layers, and cached directories specified in the buildspec, can be accessible to other projects within the same account. This is by design and allows projects within the same account to share fleet instances.
**Note**
Most AWS services treat a colon (:) or a forward slash (/) as the same character in ARNs. However, CodeBuild uses an exact match in resource patterns and rules. Be sure to use the correct characters when you create event patterns so that they match the ARN syntax in the resource.
For example, you can indicate a specific build project (*myBuildProject*) in your statement using its ARN as follows:
```
"Resource": "arn:aws:codebuild:us-east-2:123456789012:project/myBuildProject"
```
To specify all resources, or if an API action does not support ARNs, use the wildcard character (\$1) in the `Resource` element as follows:
```
"Resource": "*"
```
Some CodeBuild API actions accept multiple resources (for example, `BatchGetProjects`). To specify multiple resources in a single statement, separate their ARNs with commas, as follows:
```
"Resource": [
"arn:aws:codebuild:us-east-2:123456789012:project/myBuildProject",
"arn:aws:codebuild:us-east-2:123456789012:project/myOtherBuildProject"
]
```
CodeBuild provides a set of operations to work with the CodeBuild resources. For a list, see [AWS CodeBuild permissions reference](auth-and-access-control-permissions-reference.md).
## Understanding resource ownership
The AWS account owns the resources that are created in the account, regardless of who created the resources. Specifically, the resource owner is the AWS account of the [principal entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) (that is, the root account, an user, or an IAM role) that authenticates the resource creation request. The following examples illustrate how this works:
+ If you use the root account credentials of your AWS account to create a rule, your AWS account is the owner of the CodeBuild resource.
+ If you create an user in your AWS account and grant permissions to create CodeBuild resources to that user, the user can create CodeBuild resources. However, your AWS account, to which the user belongs, owns the CodeBuild resources.
+ If you create an IAM role in your AWS account with permissions to create CodeBuild resources, anyone who can assume the role can create CodeBuild resources. Your AWS account, to which the role belongs, owns the CodeBuild resources.
## Managing access to resources
A permissions policy describes who has access to which resources.
**Note**
This section discusses the use of IAM in AWS CodeBuild. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies attached to an IAM identity are referred to as identity-based policies (IAM policies). Policies attached to a resource are referred to as resource-based policies. CodeBuild supports identity-based policies, and resource-based policies for certain read only APIs for the purpose of cross-account resource sharing.
### Secure access to S3 buckets
We strongly recommend that you include the following permissions in your IAM role to verify the S3 bucket associated with your CodeBuild project is owned by you or someone you trust. These permissions are not included in AWS managed policies and roles. You must add them yourself.
+ `s3:GetBucketAcl`
+ `s3:GetBucketLocation`
If the owner of an S3 bucket used by your project changes, you must verify you still own the bucket and update permissions in your IAM role if not. For more information, see [Allow users to interact with CodeBuild](setting-up-service-permissions-group.md) and [Allow CodeBuild to interact with other AWS services](setting-up-service-role.md).
## Specifying policy elements: Actions, effects, and principals
For each AWS CodeBuild resource, the service defines a set of API operations. To grant permissions for these API operations, CodeBuild defines a set of actions that you can specify in a policy. Some API operations can require permissions for more than one action in order to perform the API operation. For more information, see [AWS CodeBuild resources and operations](#arn-formats) and [AWS CodeBuild permissions reference](auth-and-access-control-permissions-reference.md).
The following are the basic policy elements:
+ **Resource** – You use an Amazon Resource Name (ARN) to identify the resource that the policy applies to.
+ **Action** – You use action keywords to identify resource operations you want to allow or deny. For example, the `codebuild:CreateProject` permission gives the user permissions to perform the `CreateProject` operation.
+ **Effect** – You specify the effect, either allow or deny, when the user requests the action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource. You might do this to make sure a user cannot access a resource, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions.
To learn more about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the CodeBuild API actions and the resources they apply to, see the [AWS CodeBuild permissions reference](auth-and-access-control-permissions-reference.md).
# Using identity-based policies for AWS CodeBuild
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles) and thereby grant permissions to perform operations on AWS CodeBuild resources.
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available to manage access to your CodeBuild resources. For more information, see [Overview of managing access permissions to your AWS CodeBuild resources](auth-and-access-control-iam-access-control-identity-based.md).
**Topics**
+ [Permissions required to use the AWS CodeBuild console](#console-permissions)
+ [Permissions required for AWS CodeBuild to connect to Amazon Elastic Container Registry](#ecr-policies)
+ [Permissions required for the AWS CodeBuild console to connect to source providers](#console-policies)
+ [AWS managed (predefined) policies for AWS CodeBuild](#managed-policies)
+ [CodeBuild managed policies and notifications](#notifications-permissions)
+ [CodeBuild updates to AWS managed policies](#security-iam-awsmanpol-updates)
+ [Customer-managed policy examples](#customer-managed-policies)
The following shows an example of a permissions policy that allows a user to get information about build projects only in the `us-east-2` region for account `123456789012` for any build project that starts with the name `my`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchGetProjects",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/my*"
}
]
}
```
------
## Permissions required to use the AWS CodeBuild console
A user who uses the AWS CodeBuild console must have a minimum set of permissions that allows the user to describe other AWS resources for the AWS account. You must have permissions from the following services:
+ AWS CodeBuild
+ Amazon CloudWatch
+ CodeCommit (if you are storing your source code in an AWS CodeCommit repository)
+ Amazon Elastic Container Registry (Amazon ECR) (if you are using a build environment that relies on a Docker image in an Amazon ECR repository)
**Note**
As of July 26, 2022, the default IAM policy has been updated. For more information, see [Permissions required for AWS CodeBuild to connect to Amazon Elastic Container Registry](#ecr-policies).
+ Amazon Elastic Container Service (Amazon ECS) (if you are using a build environment that relies on a Docker image in an Amazon ECR repository)
+ AWS Identity and Access Management (IAM)
+ AWS Key Management Service (AWS KMS)
+ Amazon Simple Storage Service (Amazon S3)
If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended.
## Permissions required for AWS CodeBuild to connect to Amazon Elastic Container Registry
As of July 26, 2022, AWS CodeBuild has updated its default IAM policy for Amazon ECR permission. The following permissions have been removed from the default policy:
```
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
```
For CodeBuild projects that were created before July 26, 2022, we recommend you update your policy with the following Amazon ECR policy:
```
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
```
For more information on updating your policy, see [Allow users to interact with CodeBuild](setting-up-service-permissions-group.md).
## Permissions required for the AWS CodeBuild console to connect to source providers
The AWS CodeBuild console uses the following API actions to connect to source providers (for example, GitHub repositories).
+ `codebuild:ListConnectedOAuthAccounts`
+ `codebuild:ListRepositories`
+ `codebuild:PersistOAuthToken`
+ `codebuild:ImportSourceCredentials`
You can associate source providers (such as GitHub repositories) with your build projects using the AWS CodeBuild console. To do this, you must first add the preceding API actions to IAM access policies associated with the user you use to access the AWS CodeBuild console.
The `ListConnectedOAuthAccounts`, `ListRepositories`, and `PersistOAuthToken` API actions are not intended to be called by your code. Therefore, these API actions are not included in the AWS CLI and AWS SDKs.
## AWS managed (predefined) policies for AWS CodeBuild
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. The managed policies for CodeBuild also provide permissions to perform operations in other services, such as IAM, AWS CodeCommit,Amazon EC2, Amazon ECR, Amazon SNS, and Amazon CloudWatch Events, as required for the responsibilities for the users who have been granted the policy in question. For example, the `AWSCodeBuildAdminAccess` policy is an administrative-level user policy that allows users with this policy to create and manage CloudWatch Events rules for project builds and Amazon SNS topics for notifications about project-related events (topics whose names are prefixed with `arn:aws:codebuild:`), as well as administer projects and report groups in CodeBuild. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
The following AWS managed policies, which you can attach to users in your account, are specific to AWS CodeBuild.
**AWSCodeBuildAdminAccess**
Provides full access to CodeBuild including permissions to administrate CodeBuild build projects.
**AWSCodeBuildDeveloperAccess**
Provides access to CodeBuild but does not allow build project administration.
**AWSCodeBuildReadOnlyAccess**
Provides read-only access to CodeBuild.
To access build output artifacts that CodeBuild creates, you must also attach the AWS managed policy named `AmazonS3ReadOnlyAccess`.
To create and manage CodeBuild service roles, you must also attach the AWS managed policy named `IAMFullAccess`.
You can also create your own custom IAM policies to allow permissions for CodeBuild actions and resources. You can attach these custom policies to the users or groups that require those permissions.
**Topics**
+ [AWSCodeBuildAdminAccess](#admin-access-policy)
+ [AWSCodeBuildDeveloperAccess](#developer-access-policy)
+ [AWSCodeBuildReadOnlyAccess](#read-only-access-policy)
### AWSCodeBuildAdminAccess
The `AWSCodeBuildAdminAccess` policy provides full access to CodeBuild, including permissions to administer CodeBuild build projects. Apply this policy only to administrative-level users to grant them full control over CodeBuild projects, report groups, and related resources in your AWS account, including the ability to delete projects and report groups.
For the full managed policy, see [ AWSCodeBuildAdminAccess ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodeBuildAdminAccess.html) in the IAM managed policy reference.
### AWSCodeBuildDeveloperAccess
The `AWSCodeBuildDeveloperAccess` policy allows access to all of the functionality of CodeBuild and project and report group-related resources. This policy does not allow users to delete CodeBuild projects or report groups, or related resources in other AWS services, such as CloudWatch Events. We recommend that you apply this policy to most users.
For the full managed policy, see [ AWSCodeBuildDeveloperAccess ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodeBuildDeveloperAccess.html) in the IAM managed policy reference.
### AWSCodeBuildReadOnlyAccess
The `AWSCodeBuildReadOnlyAccess` policy grants read-only access to CodeBuild and related resources in other AWS services. Apply this policy to users who can view and run builds, view projects, and view report groups, but cannot make any changes to them.
For the full managed policy, see [ AWSCodeBuildReadOnlyAccess ](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodeBuildReadOnlyAccess.xml) in the IAM managed policy reference.
## CodeBuild managed policies and notifications
CodeBuild supports notifications, which can notify users of important changes to build projects. Managed policies for CodeBuild include policy statements for notification functionality. For more information, see [What are notifications?](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/welcome.html).
### Permissions related to notifications in read-only managed policies
The `AWSCodeBuildReadOnlyAccess` managed policy includes the following statements to allow read-only access to notifications. Users with this managed policy applied can view notifications for resources, but cannot create, manage, or subscribe to them.
```
{
"Sid": "CodeStarNotificationsPowerUserAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:DescribeNotificationRule"
],
"Resource": "*",
"Condition" : {
"ArnLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*:*:project/*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListEventTypes",
"codestar-notifications:ListTargets"
],
"Resource": "*"
}
```
### Permissions related to notifications in other managed policies
The `AWSCodeBuildDeveloperAccess` managed policy includes the following statements to allow users to create, edit, and subscribe to notifications. Users cannot delete notification rules or manage tags for resources.
```
{
"Sid": "CodeStarNotificationsReadWriteAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:CreateNotificationRule",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:UpdateNotificationRule",
"codestar-notifications:Subscribe",
"codestar-notifications:Unsubscribe"
],
"Resource": "*",
"Condition" : {
"ArnLike" : {"codestar-notifications:NotificationsForResource" : "arn:aws:codebuild:*:*:project/*"}
}
},
{
"Sid": "CodeStarNotificationsListAccess",
"Effect": "Allow",
"Action": [
"codestar-notifications:ListNotificationRules",
"codestar-notifications:ListTargets",
"codestar-notifications:ListTagsforResource",
"codestar-notifications:ListEventTypes"
],
"Resource": "*"
},
{
"Sid": "SNSTopicListAccess",
"Effect": "Allow",
"Action": [
"sns:ListTopics"
],
"Resource": "*"
},
{
"Sid": "CodeStarNotificationsChatbotAccess",
"Effect": "Allow",
"Action": [
"chatbot:DescribeSlackChannelConfigurations",
"chatbot:ListMicrosoftTeamsChannelConfigurations"
],
"Resource": "*"
}
```
For more information about IAM and notifications, see [Identity and Access Management for AWS CodeStar Notifications](https://docs.aws.amazon.com/codestar-notifications/latest/userguide/security-iam.html).
## CodeBuild updates to AWS managed policies
View details about updates to AWS managed policies for CodeBuild since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on [AWS CodeBuild User Guide document history](history.md).
| Change | Description | Date |
| --- | --- | --- |
| `AWSCodeBuildAdminAccess` and `AWSCodeBuildDeveloperAccess` – Update to existing policies | CodeBuild added the `ssmmessages:OpenDataChannel` permission to these policies to support Session Manager interactive build debugging. The `AWSCodeBuildAdminAccess` and `AWSCodeBuildDeveloperAccess` policies now include the `ssmmessages:OpenDataChannel` action for Session Manager session resources (`arn:aws:ssm:*:*:session/*`) to support SigV4 enforcement on this WebSocket API. | December 1, 2025 |
| `AWSCodeBuildAdminAccess`, `AWSCodeBuildDeveloperAccess`, and `AWSCodeBuildReadOnlyAccess` – Update to existing policies | CodeBuild updated a resource to these policies. The `AWSCodeBuildAdminAccess`, `AWSCodeBuildDeveloperAccess`, and `AWSCodeBuildReadOnlyAccess` policies have been changed to update an existing resource. The original resource `arn:aws:codebuild:*` has been updated to `arn:aws:codebuild:*:*:project/*`. | November 15, 2024 |
| `AWSCodeBuildAdminAccess`, `AWSCodeBuildDeveloperAccess`, and `AWSCodeBuildReadOnlyAccess` – Update to existing policies | CodeBuild added a resource to these policies to support the AWS CodeConnections rebranding. The `AWSCodeBuildAdminAccess`, `AWSCodeBuildDeveloperAccess`, and `AWSCodeBuildReadOnlyAccess` policies have been changed to add a resource, `arn:aws:codeconnections:*:*:*`. | April 18, 2024 |
| `AWSCodeBuildAdminAccess` and `AWSCodeBuildDeveloperAccess` – Update to existing policies | CodeBuild added a permission to these policies to support an additional notification type using Amazon Q Developer in chat applications. The `AWSCodeBuildAdminAccess` and `AWSCodeBuildDeveloperAccess` policies have been changed to add a permission, `chatbot:ListMicrosoftTeamsChannelConfigurations`. | May 16, 2023 |
| CodeBuild started tracking changes | CodeBuild started tracking changes for its AWS managed policies. | May 16, 2021 |
## Customer-managed policy examples
In this section, you can find example user policies that grant permissions for AWS CodeBuild actions. These policies work when you are using the CodeBuild API, AWS SDKs, or AWS CLI. When you are using the console, you must grant additional, console-specific permissions. For information, see [Permissions required to use the AWS CodeBuild console](#console-permissions).
You can use the following sample IAM policies to limit CodeBuild access for your users and roles.
**Topics**
+ [Allow a user to get information about build projects](#customer-managed-policies-example-batch-get-projects)
+ [Allow a user to get information about fleets](#customer-managed-policies-get-information-about-fleets)
+ [Allow a user to get information about report groups](#customer-managed-policies-get-information-about-report-group)
+ [Allow a user to get information about reports](#customer-managed-policies-get-information-about-reports)
+ [Allow a user to create build projects](#customer-managed-policies-example-create-project)
+ [Allow a user to create a fleet](#customer-managed-policies-example-create-fleet)
+ [Allow a user to create a report group](#customer-managed-policies-example-create-report-group)
+ [Allow a user to delete a fleet](#customer-managed-policies-example-delete-fleet)
+ [Allow a user to delete a report group](#customer-managed-policies-example-delete-report-group)
+ [Allow a user to delete a report](#customer-managed-policies-example-delete-report)
+ [Allow a user to delete build projects](#customer-managed-policies-example-delete-project)
+ [Allow a user to get a list of build project names](#customer-managed-policies-example-list-projects)
+ [Allow a user to change information about build projects](#customer-managed-policies-example-update-project)
+ [Allow a user to change a fleet](#customer-managed-policies-example-change-fleet)
+ [Allow a user to change a report group](#customer-managed-policies-example-change-report-group)
+ [Allow a user to get information about builds](#customer-managed-policies-example-batch-get-builds)
+ [Allow a user to get a list of build IDs for a build project](#customer-managed-policies-example-list-builds-for-project)
+ [Allow a user to get a list of build IDs](#customer-managed-policies-example-list-builds)
+ [Allow a user to get a list of fleets](#customer-managed-policies-example-get-list-of-fleets)
+ [Allow a user to get a list of report groups](#customer-managed-policies-example-get-list-of-report-groups)
+ [Allow a user to get a list of reports](#customer-managed-policies-example-get-list-of-reports)
+ [Allow a user to get a list of reports for a report group](#customer-managed-policies-example-get-list-of-reports-for-report-group)
+ [Allow a user to get a list of test cases for a report](#customer-managed-policies-example-get-list-of-test-cases-for-report)
+ [Allow a user to start running builds](#customer-managed-policies-example-start-build)
+ [Allow a user to attempt to stop builds](#customer-managed-policies-example-stop-build)
+ [Allow a user to attempt to delete builds](#customer-managed-policies-example-delete-builds)
+ [Allow a user to get information about Docker images that are managed by CodeBuild](#customer-managed-policies-example-list-curated-environment-images)
+ [Allow a user to add a permission policy for a fleet service role](#customer-managed-policies-example-permission-policy-fleet-service-role)
+ [Allow CodeBuild access to AWS services required to create a VPC network interface](#customer-managed-policies-example-create-vpc-network-interface)
+ [Use a deny statement to prevent AWS CodeBuild from disconnecting from source providers](#customer-managed-policies-example-deny-disconnect)
### Allow a user to get information about build projects
The following example policy statement allows a user to get information about build projects in the `us-east-2` Region for account `123456789012` for any build project that starts with the name `my`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchGetProjects",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/my*"
}
]
}
```
------
### Allow a user to get information about fleets
The following example policy statement allows a user to get information about fleets in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchGetFleets",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:fleet/*"
}
]
}
```
------
### Allow a user to get information about report groups
The following example policy statement allows a user to get information about report groups in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchGetReportGroups",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to get information about reports
The following example policy statement allows a user to get information about reports in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchGetReports",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to create build projects
The following example policy statement allows a user to create build projects with any name but only in the `us-east-2` Region for account `123456789012` and only using the specified CodeBuild service role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:CreateProject",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/CodeBuildServiceRole"
}
]
}
```
------
The following example policy statement allows a user to create build projects with any name but only in the `us-east-2` Region for account `123456789012` and only using the specified CodeBuild service role. It also enforces that the user can only use the specified service role with AWS CodeBuild and not any other AWS services.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:CreateProject",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/CodeBuildServiceRole",
"Condition": {
"StringEquals": {"iam:PassedToService": "codebuild.amazonaws.com"}
}
}
]
}
```
------
### Allow a user to create a fleet
The following example policy statement allows a user to create a fleet in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:CreateFleet",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:fleet/*"
}
]
}
```
------
### Allow a user to create a report group
The following example policy statement allows a user to create a report group in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:CreateReportGroup",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to delete a fleet
The following example policy statement allows a user to delete a fleet in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:DeleteFleet",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:fleet/*"
}
]
}
```
------
### Allow a user to delete a report group
The following example policy statement allows a user to delete a report group in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:DeleteReportGroup",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to delete a report
The following example policy statement allows a user to delete a report in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:DeleteReport",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to delete build projects
The following example policy statement allows a user to delete build projects in the `us-east-2` Region for account `123456789012` for any build project that starts with the name `my`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:DeleteProject",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/my*"
}
]
}
```
------
### Allow a user to get a list of build project names
The following example policy statement allows a user to get a list of build project names for the same account:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListProjects",
"Resource": "*"
}
]
}
```
------
### Allow a user to change information about build projects
The following example policy statement allows a user to change information about build projects with any name but only in the `us-east-2` Region for account `123456789012` and only using the specified AWS CodeBuild service role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:UpdateProject",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/CodeBuildServiceRole"
}
]
}
```
------
### Allow a user to change a fleet
The following example policy statement allows a user to change a fleet in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:UpdateFleet",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:fleet/*"
}
]
}
```
------
### Allow a user to change a report group
The following example policy statement allows a user to change a report group in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:UpdateReportGroup",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to get information about builds
The following example policy statement allows a user to get information about builds in the `us-east-2` Region for account `123456789012` for the build projects named `my-build-project` and `my-other-build-project`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchGetBuilds",
"Resource": [
"arn:aws:codebuild:us-east-2:111122223333:project/my-build-project",
"arn:aws:codebuild:us-east-2:111122223333:project/my-other-build-project"
]
}
]
}
```
------
### Allow a user to get a list of build IDs for a build project
The following example policy statement allows a user to get a list of build IDs in the `us-east-2` Region for account `123456789012` for the build projects named `my-build-project` and `my-other-build-project`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListBuildsForProject",
"Resource": [
"arn:aws:codebuild:us-east-2:111122223333:project/my-build-project",
"arn:aws:codebuild:us-east-2:111122223333:project/my-other-build-project"
]
}
]
}
```
------
### Allow a user to get a list of build IDs
The following example policy statement allows a user to get a list of all build IDs for the same account:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListBuilds",
"Resource": "*"
}
]
}
```
------
### Allow a user to get a list of fleets
The following example policy statement allows a user to get a list of fleets in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListFleets",
"Resource": "*"
}
]
}
```
------
### Allow a user to get a list of report groups
The following example policy statement allows a user to get a list of report groups in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListReportGroups",
"Resource": "*"
}
]
}
```
------
### Allow a user to get a list of reports
The following example policy statement allows a user to get a list of reports in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListReports",
"Resource": "*"
}
]
}
```
------
### Allow a user to get a list of reports for a report group
The following example policy statement allows a user to get a list of reports for a report group in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListReportsForReportGroup",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to get a list of test cases for a report
The following example policy statement allows a user to get a list of test cases for a report in the `us-east-2` Region for account `123456789012`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:DescribeTestCases",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:report-group/*"
}
]
}
```
------
### Allow a user to start running builds
The following example policy statement allows a user to run builds in the `us-east-2` Region for account `123456789012` for a build project that starts with the name `my`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:StartBuild",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/my*"
}
]
}
```
------
### Allow a user to attempt to stop builds
The following example policy statement allows a user to attempt to stop running builds only in the `us-east-2` region for account `123456789012` for any build project that starts with the name `my`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:StopBuild",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/my*"
}
]
}
```
------
### Allow a user to attempt to delete builds
The following example policy statement allows a user to attempt to delete builds only in the `us-east-2` Region for account `123456789012` for any build project that starts with the name `my`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:BatchDeleteBuilds",
"Resource": "arn:aws:codebuild:us-east-2:111122223333:project/my*"
}
]
}
```
------
### Allow a user to get information about Docker images that are managed by CodeBuild
The following example policy statement allows a user to get information about all Docker images that are managed by CodeBuild:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "codebuild:ListCuratedEnvironmentImages",
"Resource": "*"
}
]
}
```
------
### Allow a user to add a permission policy for a fleet service role
The following example resource policy statement allows a user to add a VPC permission policy for a fleet service role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CodeBuildFleetVpcCreateNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:us-west-2:111122223333:subnet/subnet-id-1",
"arn:aws:ec2:us-west-2:111122223333:security-group/security-group-id-1",
"arn:aws:ec2:us-west-2:111122223333:network-interface/*"
]
},
{
"Sid": "CodeBuildFleetVpcPermission",
"Effect": "Allow",
"Action": [
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "CodeBuildFleetVpcNIPermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:us-west-2:111122223333:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"arn:aws:ec2:us-west-2:111122223333:subnet/subnet-id-1"
]
}
}
}
]
}
```
------
The following example resource policy statement allows a user to add a custom Amazon Managed Image (AMI) permission policy for a fleet service role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeImages",
"Resource": "*"
}
]
}
```
------
The following example trust policy statement allows a user to add a permission policy for a fleet service role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CodeBuildFleetVPCTrustPolicy",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
}
]
}
```
------
### Allow CodeBuild access to AWS services required to create a VPC network interface
The following example policy statement grants AWS CodeBuild permission to create a network interface in a VPC with two subnets:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:us-west-2:111122223333:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "codebuild.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:us-west-2:111122223333:subnet/subnet-id-1",
"arn:aws:ec2:us-west-2:111122223333:subnet/subnet-id-2"
]
}
}
}
]
}
```
------
### Use a deny statement to prevent AWS CodeBuild from disconnecting from source providers
The following example policy statement uses a deny statement to prevent AWS CodeBuild from disconnecting from source providers. It uses `codebuild:DeleteOAuthToken`, which is the inverse of `codebuild:PersistOAuthToken` and `codebuild:ImportSourceCredentials`, to connect with source providers. For more information, see [Permissions required for the AWS CodeBuild console to connect to source providers](#console-policies).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "codebuild:DeleteOAuthToken",
"Resource": "*"
}
]
}
```
------
# AWS CodeBuild permissions reference
You can use AWS-wide condition keys in your AWS CodeBuild policies to express conditions. For a list, see [Available Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
You specify the actions in the policy's `Action` field. To specify an action, use the `codebuild:` prefix followed by the API operation name (for example, `codebuild:CreateProject` and `codebuild:StartBuild`). To specify multiple actions in a single statement, separate them with commas (for example, `"Action": [ "codebuild:CreateProject", "codebuild:StartBuild" ]`).
**Using Wildcard Characters**
You specify an ARN, with or without a wildcard character (\$1), as the resource value in the policy's `Resource` field. You can use a wildcard to specify multiple actions or resources. For example, `codebuild:*` specifies all CodeBuild actions and `codebuild:Batch*` specifies all CodeBuild actions that begin with the word `Batch`. The following example grants access to all build project with names that begin with `my`:
```
arn:aws:codebuild:us-east-2:123456789012:project/my*
```CodeBuild API operations and required permissions for actions
BatchDeleteBuilds
**Action:** `codebuild:BatchDeleteBuilds`
Required to delete builds.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
BatchGetBuilds
**Action:** `codebuild:BatchGetBuilds`
Required to get information about builds.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
BatchGetProjects
**Action:** `codebuild:BatchGetProjects`
Required to get information about build projects.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
BatchGetReportGroups
**Action:** `codebuild:BatchGetReportGroups`
Required to get information about report groups.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
BatchGetReports
**Action:** `codebuild:BatchGetReports`
Required to get information about reports.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
BatchPutTestCases ¹
**Action:** `codebuild:BatchPutTestCases`
Required to create or update a test report.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
CreateProject
**Actions:** `codebuild:CreateProject`, `iam:PassRole`
Required to create build projects.
**Resources:**
+ `arn:aws:codebuild:region-ID:account-ID:project/project-name `
+ `arn:aws:iam::account-ID:role/role-name `
CreateReport ¹
**Action:** `codebuild:CreateReport`
Required to create a test report.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
CreateReportGroup
**Action:** `codebuild:CreateReportGroup`
Required to create a report group.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
CreateWebhook
**Action:** `codebuild:CreateWebhook`
Required to create a webhook.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
DeleteProject
**Action:** `codebuild:DeleteProject`
Required to delete a CodeBuild project.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
DeleteReport
**Action:** `codebuild:DeleteReport`
Required to delete a report.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
DeleteReportGroup
**Action:** `codebuild:DeleteReportGroup`
Required to delete a report group.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
DeleteSourceCredentials
**Action:** `codebuild:DeleteSourceCredentials`
Required to delete a set of `SourceCredentialsInfo` objects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.
**Resource:** `*`
DeleteWebhook
**Action:** `codebuild:DeleteWebhook`
Required to create a webhook.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
DescribeTestCases
**Action:** `codebuild:DescribeTestCases`
Required to return a paginated list of test cases.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
ImportSourceCredentials
**Action:** `codebuild:ImportSourceCredentials`
Required to import a set of `SourceCredentialsInfo` objects that contain information about credentials for a GitHub, GitHub Enterprise Server, or Bitbucket repository.
**Resource:** `*`
InvalidateProjectCache
**Action:** `codebuild:InvalidateProjectCache`
Required to reset the cache for a project.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
ListBuildBatches
**Action:** `codebuild:ListBuildBatches`
Required to get a list of build batch IDs.
**Resource:** `*`
ListBuildBatchesForProject
**Action:** `codebuild:ListBuildBatchesForProject`
Required to get a list of build batch IDs for a specific project.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name`
ListBuilds
**Action:** `codebuild:ListBuilds`
Required to get a list of build IDs.
**Resource:** `*`
ListBuildsForProject
**Action:** `codebuild:ListBuildsForProject`
Required to get a list of build IDs for a build project.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
ListCuratedEnvironmentImages
**Action:** `codebuild:ListCuratedEnvironmentImages`
Required to get information about all Docker images that are managed by AWS CodeBuild.
**Resource:** `*` (required, but does not refer to an addressable AWS resource)
ListProjects
**Action:** `codebuild:ListProjects`
Required to get a list of build project names.
**Resource:** `*`
ListReportGroups
**Action:** `codebuild:ListReportGroups`
Required to get a list of report groups.
**Resource:** `*`
ListReports
**Action:** `codebuild:ListReports`
Required to get a list of reports.
**Resource:** `*`
ListReportsForReportGroup
**Action:** `codebuild:ListReportsForReportGroup`
Required to get a list of reports for a report group.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
RetryBuild
**Action:** `codebuild:RetryBuild`
Required to retry builds.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
StartBuild
**Action:** `codebuild:StartBuild`
Required to start running builds.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
StopBuild
**Action:** `codebuild:StopBuild`
Required to attempt to stop running builds.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
UpdateProject
**Actions:** `codebuild:UpdateProject`, `iam:PassRole`
Required to change information about builds.
**Resources:**
+ `arn:aws:codebuild:region-ID:account-ID:project/project-name `
+ `arn:aws:iam::account-ID:role/role-name `
UpdateProjectVisibility
**Actions:** `codebuild:UpdateProjectVisibility`, `iam:PassRole`
Required to change the public visibility of a project's builds.
**Resources:**
+ `arn:aws:codebuild:region-ID:account-ID:project/project-name `
+ `arn:aws:iam::account-ID:role/role-name `
UpdateReport ¹
**Action:** `codebuild:UpdateReport`
Required to create or update a test report.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
UpdateReportGroup
**Action:** `codebuild:UpdateReportGroup`
Required to update a report group.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:report-group/report-group-name `
UpdateWebhook
**Action:** `codebuild:UpdateWebhook`
Required to update a webhook.
**Resource:** `arn:aws:codebuild:region-ID:account-ID:project/project-name `
¹ Used for permission only. There is no API for this action.
# Using tags to control access to AWS CodeBuild resources
Conditions in IAM policy statements are part of the syntax that you can use to specify permissions to CodeBuild project-based actions. You can create a policy that allows or denies actions on projects based on the tags associated with those projects, and then apply those policies to the IAM groups you configure for managing users. For information about applying tags to a project using the console or AWS CLI, see [Create a build project in AWS CodeBuild](create-project.md). For information about applying tags using the CodeBuild SDK, see [CreateProject ](https://docs.aws.amazon.com/codebuild/latest/APIReference/API_CreateProject.html#API_CreateProject_RequestSyntax) and [Tags](https://docs.aws.amazon.com/codebuild/latest/APIReference/API_Tag.html) in the *CodeBuild API Reference*. For information about using tags to control access to AWS resources, see [Controlling Access to AWS Resources Using Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.
**Important**
When using the reserved capacity feature, data cached on fleet instances, including source files, Docker layers, and cached directories specified in the buildspec, can be accessible to other projects within the same account. This is by design and allows projects within the same account to share fleet instances.
**Example 1: Limit CodeBuild project actions based on resource tags**
The following example denies all `BatchGetProjects` actions on projects tagged with the key `Environment` with the key value of `Production`. A user's administrator must attach this IAM policy in addition to the managed user policy to unauthorized users. The `aws:ResourceTag` condition key is used to control access to resources based on their tags.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codebuild:BatchGetProjects"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:ResourceTag/Environment": "Production"
}
}
}
]
}
```
**Example 2: Limit CodeBuild project actions based on request tags**
The following policy denies users permission to the `CreateProject` action if the request contains a tag with the key `Environment` and the key value `Production`. In addition, the policy prevents these unauthorized users from modifying projects by using the `aws:TagKeys` condition key to not allow `UpdateProject` if the request contains a tag with the key `Environment`. An administrator must attach this IAM policy in addition to the managed user policy to users who are not authorized to perform these actions. The `aws:RequestTag` condition key is used to control which tags can be passed in an IAM request
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codebuild:CreateProject"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:RequestTag/Environment": "Production"
}
}
},
{
"Effect": "Deny",
"Action": [
"codebuild:UpdateProject"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": ["Environment"]
}
}
}
]
}
```
**Example 3: Deny or allow actions on report groups based on resource tags**
You can create a policy that allows or denies actions on CodeBuild resources (projects and report groups) based on the AWS tags associated with those resources, and then apply those policies to the IAM groups you configure for managing users. For example, you can create a policy that denies all CodeBuild actions on any report group with the AWS tag key `Status` and the key value of `Secret`, and then apply that policy to the IAM group you created for general developers (*Developers*). You then need to make sure that the developers working on those tagged report groups are not members of that general *Developers* group, but belong instead to a different IAM group that does not have the restrictive policy applied (`SecretDevelopers`).
The following example denies all CodeBuild actions on report groups tagged with the key `Status` and the key value of `Secret`:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codebuild:BatchGetReportGroups",
"codebuild:CreateReportGroup",
"codebuild:DeleteReportGroup",
"codebuild:ListReportGroups",
"codebuild:ListReportsForReportGroup",
"codebuild:UpdateReportGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
```
**Example 4: Limit CodeBuild actions to AWSCodeBuildDeveloperAccess based on resource tags**
You can create policies that allow CodeBuild actions on all report groups and projects that are not tagged with specific tags. For example, the following policy allows the equivalent of [AWSCodeBuildDeveloperAccess](auth-and-access-control-iam-identity-based-access-control.md#developer-access-policy) permissions for all report groups and projects except those tagged with the specified tags:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:BatchGet*",
"codebuild:GetResourcePolicy",
"codebuild:DescribeTestCases",
"codebuild:List*",
"codecommit:GetBranch",
"codecommit:GetCommit",
"codecommit:GetRepository",
"codecommit:ListBranches",
"cloudwatch:GetMetricStatistics",
"events:DescribeRule",
"events:ListTargetsByRule",
"events:ListRuleNamesByTarget",
"logs:GetLogEvents",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/Status": "Secret",
"aws:ResourceTag/Team": "Saanvi"
}
}
}
]
}
```
# Viewing resources in the console
The AWS CodeBuild console requires the `ListRepositories` permission to display a list of repositories for your AWS account in the AWS Region where you are signed in. The console also includes a **Go to resource** function to quickly perform a case insensitive search for resources. This search is performed in your AWS account in the AWS Region where you are signed in. The following resources are displayed across the following services:
+ AWS CodeBuild: Build projects
+ AWS CodeCommit: Repositories
+ AWS CodeDeploy: Applications
+ AWS CodePipeline: Pipelines
To perform this search across resources in all services, you must have the following permissions:
+ CodeBuild: `ListProjects`
+ CodeCommit: `ListRepositories`
+ CodeDeploy: `ListApplications`
+ CodePipeline: `ListPipelines`
Results are not returned for a service's resources if you do not have permissions for that service. Even if you have permissions for viewing resources, some resources are not returned if there is an explicit `Deny` to view those resources.