According to the AWS CodeBuild documentation, the Create Project operation requires only the codebuild:CreateProject and iam:PassRole Actions to be granted. I have done this in my role's policy, and set the Resource to "*", but when I click on the Create Project button, I immediately get Access Denied with no further information. I have no problems doing the analogous operation in CodeArtifact, CodePipeline, and CodeCommit. If I set "s3:*", I do not get the error, so evidently it's an S3 permission I'm missing, but which one?

What I am trying to do is create a role with reduced permissions so that a user can run a build and manage CodeSuite resources (add and edit repositories, pipelines, etc.) without using Administrator privileges.

Here is my policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object",
                "s3:*ObjectVersion",
                "s3:*BucketAcl",
                "s3:*BucketLocation",
                "iam:*",
                "codepipeline:*",
                "codeartifact:*",
                "codecommit:*",
                "codebuild:*"
            ],
            "Resource": "*"
        }
    ]
}

(I am aware this configuration is inadvisable; I am trying to isolate the issue, and provide a minimum reproducible example)

CodePudding user response：

You can use iamlive in the pipeline (or from the AWS cli), which allows you to generate IAM policies from AWS calls. This way you'll be able to find out the minimum set of permissions required for codebuild:CreateProject.

CodePudding user response：

With a little bit of educated trial and error, I narrowed it down to a List* Action, which is sufficiently specific for my purposes. I'm guessing it's ListObjects and ListObjectVersions, but I'm too lazy to confirm it.