Using IAM roles on the AWS CodeBuild worker

Question

Is there a way to grant IAM instance roles to be used by the build process?

In my particular case I need to perform some s3 operations during build (unrelated to archiving artifacts).

So far the only alternative I found is to add an aws key and secret to the environment variables on the aws codebuild configuration page.

It would be more secure to just attach an IAM role to the ec2 instance or container executing the build. Is that currently (2016-12) possible?

Answer 1

You should be able to attach any additional policy permissions to the service role that was created for your build project. CodeBuild uses that policy during build time to execute actions within a build instance.

For example, if you wanted to delete an object from S3 during build, you would need to add the following statement to your service role policy:

{
    "Effect": "Allow",
    "Resource": [
        "*"
    ],
    "Action": [
        "s3:DeleteObject"
    ]
}

Note: You may wish to restrict these permissions to specific resources, the example above allows DeleteObject on anything in your account.

If you used the first-run wizard on the CodeBuild console to setup your project, you should already have policies in your service role for s3:GetObject and s3:GetObjectVersion. The service role name when creating via the console is 'codebuild-[project name]-service-role' by default.