Configure AWS CodeBuild Source Credentials

The aws:codebuild/sourceCredential:SourceCredential resource, part of the Pulumi AWS provider, stores authentication credentials that CodeBuild uses to access private source repositories. This guide focuses on three authentication methods: GitHub personal access tokens, Bitbucket basic auth, and CodeStar Connection references.

Source credentials reference tokens or connection ARNs created outside CodeBuild. CodeBuild allows only one credential per server type per region; all projects in that region automatically use the stored credential. The examples are intentionally small. Combine them with your own CodeBuild projects and source repository configuration.

Authenticate with GitHub using a personal access token

Most CodeBuild projects pulling from GitHub store a personal access token that grants repository read access.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.codebuild.SourceCredential("example", {
    authType: "PERSONAL_ACCESS_TOKEN",
    serverType: "GITHUB",
    token: "example",
});

import pulumi
import pulumi_aws as aws

example = aws.codebuild.SourceCredential("example",
    auth_type="PERSONAL_ACCESS_TOKEN",
    server_type="GITHUB",
    token="example")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codebuild"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := codebuild.NewSourceCredential(ctx, "example", &codebuild.SourceCredentialArgs{
			AuthType:   pulumi.String("PERSONAL_ACCESS_TOKEN"),
			ServerType: pulumi.String("GITHUB"),
			Token:      pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CodeBuild.SourceCredential("example", new()
    {
        AuthType = "PERSONAL_ACCESS_TOKEN",
        ServerType = "GITHUB",
        Token = "example",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codebuild.SourceCredential;
import com.pulumi.aws.codebuild.SourceCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SourceCredential("example", SourceCredentialArgs.builder()
            .authType("PERSONAL_ACCESS_TOKEN")
            .serverType("GITHUB")
            .token("example")
            .build());

    }
}

resources:
  example:
    type: aws:codebuild:SourceCredential
    properties:
      authType: PERSONAL_ACCESS_TOKEN
      serverType: GITHUB
      token: example

When you create this credential, CodeBuild projects in the same region automatically use it for GitHub sources. The authType specifies PERSONAL_ACCESS_TOKEN authentication, serverType identifies GitHub as the source provider, and token holds your GitHub personal access token. CodeBuild enforces one credential per server type per region, so this credential applies to all GitHub-based projects in the region.

Authenticate with Bitbucket using basic auth

Bitbucket Server uses username and app password combinations instead of personal access tokens.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.codebuild.SourceCredential("example", {
    authType: "BASIC_AUTH",
    serverType: "BITBUCKET",
    token: "example",
    userName: "test-user",
});

import pulumi
import pulumi_aws as aws

example = aws.codebuild.SourceCredential("example",
    auth_type="BASIC_AUTH",
    server_type="BITBUCKET",
    token="example",
    user_name="test-user")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codebuild"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := codebuild.NewSourceCredential(ctx, "example", &codebuild.SourceCredentialArgs{
			AuthType:   pulumi.String("BASIC_AUTH"),
			ServerType: pulumi.String("BITBUCKET"),
			Token:      pulumi.String("example"),
			UserName:   pulumi.String("test-user"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CodeBuild.SourceCredential("example", new()
    {
        AuthType = "BASIC_AUTH",
        ServerType = "BITBUCKET",
        Token = "example",
        UserName = "test-user",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codebuild.SourceCredential;
import com.pulumi.aws.codebuild.SourceCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SourceCredential("example", SourceCredentialArgs.builder()
            .authType("BASIC_AUTH")
            .serverType("BITBUCKET")
            .token("example")
            .userName("test-user")
            .build());

    }
}

resources:
  example:
    type: aws:codebuild:SourceCredential
    properties:
      authType: BASIC_AUTH
      serverType: BITBUCKET
      token: example
      userName: test-user

The BASIC_AUTH authType requires both token (the Bitbucket app password) and userName properties. CodeBuild stores these credentials for projects that reference Bitbucket repositories. Like GitHub credentials, this applies region-wide to all Bitbucket-based projects.

Reference an AWS CodeStar connection

Teams using AWS CodeStar Connections can reference the connection ARN for centralized credential management.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.codebuild.SourceCredential("example", {
    authType: "CODECONNECTIONS",
    serverType: "GITHUB",
    token: "arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string",
});

import pulumi
import pulumi_aws as aws

example = aws.codebuild.SourceCredential("example",
    auth_type="CODECONNECTIONS",
    server_type="GITHUB",
    token="arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codebuild"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := codebuild.NewSourceCredential(ctx, "example", &codebuild.SourceCredentialArgs{
			AuthType:   pulumi.String("CODECONNECTIONS"),
			ServerType: pulumi.String("GITHUB"),
			Token:      pulumi.String("arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CodeBuild.SourceCredential("example", new()
    {
        AuthType = "CODECONNECTIONS",
        ServerType = "GITHUB",
        Token = "arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codebuild.SourceCredential;
import com.pulumi.aws.codebuild.SourceCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SourceCredential("example", SourceCredentialArgs.builder()
            .authType("CODECONNECTIONS")
            .serverType("GITHUB")
            .token("arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string")
            .build());

    }
}

resources:
  example:
    type: aws:codebuild:SourceCredential
    properties:
      authType: CODECONNECTIONS
      serverType: GITHUB
      token: arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string

The CODECONNECTIONS authType treats the token property as a CodeStar Connection ARN rather than a raw credential. This approach centralizes authentication across AWS services. CodeBuild resolves the connection at runtime when projects pull source code.

Beyond these examples

These snippets focus on specific source credential features: GitHub and Bitbucket authentication, and CodeStar Connection integration. They’re intentionally minimal rather than complete CI/CD pipelines.

The examples reference pre-existing infrastructure such as GitHub personal access tokens or Bitbucket app passwords, and AWS CodeStar Connections for CODECONNECTIONS auth. They focus on storing credentials rather than creating the underlying tokens or connections.

To keep things focused, credential patterns are omitted, including:

  • Secrets Manager integration (authType SECRETS_MANAGER)
  • GitHub Enterprise Server configuration
  • Credential rotation and lifecycle management

These omissions are intentional: the goal is to illustrate how each authentication method is wired, not provide drop-in credential management modules. See the CodeBuild SourceCredential resource reference for all available configuration options.

Let's configure AWS CodeBuild Source Credentials

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Limitations & Behavior
Why can I only have one credential per source provider in a region?
CodeBuild allows only a single credential per server type (like GITHUB or BITBUCKET) in a given region. When you define a SourceCredential, all Project resources in the same module will automatically use it.
Can I use OAuth authentication with CodeBuild source credentials?
No, OAuth connections are not supported by the CodeBuild API. Use PERSONAL_ACCESS_TOKEN, BASIC_AUTH, CODECONNECTIONS, or SECRETS_MANAGER instead.
Authentication Configuration
What authentication types are supported?
CodeBuild supports four authentication types via the authType property: BASIC_AUTH, PERSONAL_ACCESS_TOKEN, CODECONNECTIONS, and SECRETS_MANAGER.
What should I put in the token field?

The token value depends on your authentication type:

  • GitHub/GitHub Enterprise: Personal access token
  • Bitbucket: App password
  • CodeStar Connection: CodeStar Connection ARN (when authType is CODECONNECTIONS)
When do I need to provide a username?
The userName parameter is required only for Bitbucket when using BASIC_AUTH. It’s not valid for other source providers or authentication types.
How do I authenticate with GitHub using a personal access token?
Set authType to PERSONAL_ACCESS_TOKEN, serverType to GITHUB, and token to your GitHub personal access token.
How do I authenticate with Bitbucket using basic authentication?
Set authType to BASIC_AUTH, serverType to BITBUCKET, token to your Bitbucket app password, and userName to your Bitbucket username.
How do I use AWS CodeStar Connections for source authentication?
Set authType to CODECONNECTIONS, serverType to GITHUB, and token to your CodeStar Connection ARN (format: arn:aws:codestar-connections:region:account:connection/guid).
Immutability & Updates
What properties can't be changed after creation?
The following properties are immutable and require resource replacement if changed: authType, serverType, token, and userName.

Using a different cloud?

Explore integration guides for other cloud providers:

Azure Guides GCP Guides