Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Test report permissions

Focus mode
Test report permissions - AWS CodeBuild

This topic describes important information about permissions related to test reporting.

IAM role for test reports

To run a test report, and to update a project to include test reports, your IAM role requires the following permissions. These permissions are included in the predefined AWS managed policies. If you want to add test reporting to an existing build project, you must add these permissions yourself.

  • CreateReportGroup

  • CreateReport

  • UpdateReport

  • BatchPutTestCases

To run a code coverage report, your IAM role must also include the BatchPutCodeCoverages permission.

Note

BatchPutTestCases, CreateReport, UpdateReport, and BatchPutCodeCoverages are not public permissions. You cannot call a corresponding AWS CLI command or SDK method for these permissions.

To make sure you have these permissions, you can attach the following policy to your IAM role:

{ "Effect": "Allow", "Resource": [ "*" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }

We recommend that you restrict this policy to only those report groups you must use. The following restricts permissions to only the report groups with the two ARNs in the policy:

{ "Effect": "Allow", "Resource": [ "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-1", "arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-2" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }

The following restricts permissions to only report groups created by running builds of a project named my-project:

{ "Effect": "Allow", "Resource": [ "arn:aws:codebuild:your-region:your-aws-account-id:report-group/my-project-*" ], "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages" ] }
Note

The CodeBuild service role specified in the project is used for permissions to upload to the S3 bucket.

You can specify permissions for the following test reporting CodeBuild API operations:

  • BatchGetReportGroups

  • BatchGetReports

  • CreateReportGroup

  • DeleteReportGroup

  • DeleteReport

  • DescribeTestCases

  • ListReportGroups

  • ListReports

  • ListReportsForReportGroup

  • UpdateReportGroup

For more information, see AWS CodeBuild permissions reference.

Test reporting permissions examples

For information about sample policies related to test reporting, see the following:

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.