I recently moved a codebuild project into a VPC. It started having a fault in the provisioning stage, with the message “CodeBuild is experiencing issues”. To my surprise I did not find a Cloudwatch Logs entry, or anything from a search engine.
I had given Codebuild the following IAM permissions:
- Sid: VPCNetworkPermissions
Effect: "Allow"
Action:
- "ec2:*NetworkInterface"
- "ec2:Describe*"
Resource:
- "*"
This developer forum post led me to the documentation, where I discovered that “ec2:CreateNetworkInterfacePermission” is also required.
This policy works:
CodeBuildInVPCPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: codebuild-in-vpc
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeDhcpOptions
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- ec2:DescribeVpcs
Resource: "*"
- Effect: Allow
Action:
- ec2:CreateNetworkInterfacePermission
Resource: !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*
Condition:
StringEquals:
ec2:AuthorizedService: codebuild.amazonaws.com
Roles:
- !Ref CodeBuildRole
I hope this helps.
Be the first to comment.