AWS codepipeline documentation change
Summary
Added service role permissions section with required IAM policy for CodeBuild actions
Security assessment
Documents necessary permissions for CodeBuild integration but does not indicate resolution of a security flaw. The change enhances security documentation through explicit access control guidance.
Diff
diff --git a/codepipeline/latest/userguide/action-reference-CodeBuild.md b/codepipeline/latest/userguide/action-reference-CodeBuild.md index 97e1b0f60..702559934 100644 --- a/codepipeline/latest/userguide/action-reference-CodeBuild.md +++ b/codepipeline/latest/userguide/action-reference-CodeBuild.md @@ -5 +5 @@ -Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesAction declaration (CodeBuild example)See also +Action typeConfiguration parameters Input artifactsOutput artifactsOutput variablesService role permissions: CodeBuild actionAction declaration (CodeBuild example)See also @@ -24,0 +25,2 @@ When you use the CodePipeline wizard in the console to create a build project, t + * Service role permissions: CodeBuild action + @@ -166,0 +169,23 @@ For more information about using CodeBuild environment variables in CodePipeline +## Service role permissions: CodeBuild action + +For CodeBuild support, add the following to your policy statement: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + "codebuild:BatchGetBuildBatches", + "codebuild:StartBuildBatch" + ], + "Resource": [ + "arn:aws:codebuild:*:{{customerAccountId}}:project/[[ProjectName]]" + ], + "Effect": "Allow" + } + ] + } +