IAM Role DSL
Cody can create the IAM service role associated with the codebuild project. Here’s an example:
.cody/role.rb:
iam_policy("logs", "ssm")
For more control, here’s a longer form:
iam_policy(
Action: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:*",
],
Effect: "Allow",
Resource: "*"
)
You can also make multiple calls to iam_policy
. Example:
iam_policy("logs")
lam_policy("ssm")
You can also create managed IAM policy.
managed_iam_policy("AmazonS3ReadOnlyAccess")
You can also add multiple managed IAM policies:
managed_iam_policy("AmazonS3ReadOnlyAccess", "AmazonEC2ReadOnlyAccess")
Full DSL
The convenience methods merely wrap properties of the AWS::IAM::Role CloudFormation Resource. If you wanted to set the CloudFormation properties more directly, here’s an example of using the “Full” DSL.
.cody/role.rb:
assume_role_policy_document(
Statement: [{
Action: ["sts:AssumeRole"],
Effect: "Allow",
Principal: {
Service: ["codebuild.amazonaws.com"]
}
}],
Version: "2012-10-17"
)
path("/")
policies([{
PolicyName: "CodeBuildAccess",
PolicyDocument: {
Version: "2012-10-17",
Statement: [{
Action: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
Effect: "Allow",
Resource: "*"
}]
}
}])
Default IAM Role
Here’s the default IAM Role that Cody uses.
iam_policy(
Action: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:DescribeDocumentParameters",
"ssm:DescribeParameters",
"ssm:GetParameter*",
],
Effect: "Allow",
Resource: "*"
)
If you override default by creating a role.rb
file, you will probably want to keep at least logs access so CodeBuild can write to CloudWatch.
Pro tip: Use the <- and -> arrow keys to move back and forward.
Edit this page
See a typo or an error? You can improve this page. This website is available on GitHub, and contributions are encouraged and welcomed. We love pull requests from you!
- Suggest an edit to this page (here's the contributing guide).
- Open an issue about this page to report a problem.