Create IAM Role for CodeBuild and CodePipeline

Overview

In this step, we will create an IAM Role. This IAM Role will be used by AWS CodeBuild and CodePipeline.

Content

  1. Access IAM

  2. On the left navigation bar, select Policies

  3. Choose Create Policies.

    IAM Policies interface

  4. On the Specify permissions interface of Create Policies, switch to the json tab, then paste the following json snippet, and select next

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:*",
				"cloudwatch:*",
				"logs:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Resource": [
				"*"
			],
			"Action": [
				"codecommit:*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"codebuild:*"
			],
			"Resource": "*"
		}
	]
}

    ``

    👉 Json Policy Summary
    -> The policy declares permissions related to:

    • S3 (“s3:*”): Storing artifacts and sending files to deploy to S3.
    • Cloudwatch (“cloudwatch:*”), Cloudwatch logs (“logs:*”): Logging.
    • CodeCommit (“codecommit:*”): Access CodeCommit to get source code for building and deploying.
    • CodeBuild (“codebuild:*”): Access CodeBuild operations.

  5. On the Review and create interface

    1. Enter Policy name: fcj-workshop

    Name policy

    1. Review information

    Review Policy

    1. Tag the policy and select Create policy. (You can skip adding tags, but I prefer to add tags to clean up resources completely after the lab)

    Add tags and create policy

  6. On the left navigation bar, select Roles

  7. Choose Create Role

  8. On the Select trusted entity, choose AWS Service, then select CodeBuild và click Next

    Select trusted entity

  9. In Add permissions section, choose fcj-workshop and click next

    Select create policy

  10. On the Name, review, and create

    1. Enter Role name: fcj-workshop-role

    Name role

    1. Tag the role and select Create Role.

    Add tags and create role

  11. Go back to the Roles, Select the created Role (fcj-workshop-role)

    Access created role

  12. Click on tab Trust relationships then select Edit trust policy Tab Trust relationships

  13. On the Edit trust policy, paste the following json:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "codebuild.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		},
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "codepipeline.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

    👉 Brief
    IAM Role initially only had permissions assigned to CodeBuild (Step 8), but since I want to use one role for two services, I will add sts:AssumeRole to allow CodePipeline to also use this role.

    In this json, I add:

    {
	"Effect": "Allow",
	"Principal": {
		"Service": "codepipeline.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
}

    ℹ️ Note:
    However, this is for lab purposes; in practice, roles should be clearly divided for which service to avoid having a role with unnecessary privileges (least privilege) and for easy maintenance.

    Edit Trust policy

  14. Choose Update policy