1. Answers
  2. Configuring IAM for CodeBuild to Push to ECR

How do I configure IAM for CodeBuild to push to ECR?

This guide explains how to configure IAM roles and policies needed for AWS CodeBuild to push images to Amazon ECR. We’ll create an IAM role for CodeBuild with policies that allow it to push Docker images to ECR.

Here’s the complete configuration:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create ECR repository
const example = new aws.ecr.Repository("example", {name: "example-repo"});
// Create IAM role for CodeBuild
const codebuildRole = new aws.iam.Role("codebuild_role", {
    name: "codebuild-role",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "codebuild.amazonaws.com",
            },
            Action: "sts:AssumeRole",
        }],
    }),
});
// Attach policies to provide necessary permissions to the CodeBuild role to interact with ECR
const codebuildEcrPolicy = new aws.iam.Policy("codebuild_ecr_policy", {
    name: "codebuild-ecr-policy",
    description: "Policy allowing CodeBuild to push to ECR",
    policy: pulumi.jsonStringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchGetImage",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:PutImage",
                    "ecr:InitiateLayerUpload",
                    "ecr:UploadLayerPart",
                    "ecr:CompleteLayerUpload",
                ],
                Resource: [example.arn],
            },
            {
                Effect: "Allow",
                Action: ["ecr:GetAuthorizationToken"],
                Resource: "*",
            },
            {
                Effect: "Allow",
                Action: [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                ],
                Resource: "*",
            },
        ],
    }),
});
// Attach the policy to the CodeBuild IAM role
const codebuildEcrPolicyAttachment = new aws.iam.RolePolicyAttachment("codebuild_ecr_policy_attachment", {
    role: codebuildRole.name,
    policyArn: codebuildEcrPolicy.arn,
});
export const ecrRepositoryUrl = example.repositoryUrl;

In this example, we’ve defined all the necessary entities:

  1. ECR Repository: This is where your Docker images will be stored.
  2. IAM Role: This role is assumed by CodeBuild.
  3. IAM Policy: This policy grants permissions needed to interact with ECR.
  4. Role Policy Attachment: This attaches the policy to the IAM role.
  5. Output: To provide the ECR repository URL as a stack output.

This configuration ensures that CodeBuild has the required permissions to push Docker images to ECR.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up