Configure AWS CodeBuild Source Credentials

The aws:codebuild/sourceCredential:SourceCredential resource, part of the Pulumi AWS provider, stores authentication credentials that CodeBuild uses to access source repositories. This guide focuses on three authentication methods: GitHub personal access tokens, Bitbucket basic auth, and AWS CodeStar Connection references.

CodeBuild enforces one credential per server type per region. When you create a source credential, any CodeBuild project in that region automatically uses it when accessing matching repository types. The examples are intentionally small. Combine them with your own CodeBuild projects and repository configurations.

Authenticate with GitHub using a personal access token

Most GitHub integrations store a personal access token that grants repository access.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.codebuild.SourceCredential("example", {
    authType: "PERSONAL_ACCESS_TOKEN",
    serverType: "GITHUB",
    token: "example",
});

import pulumi
import pulumi_aws as aws

example = aws.codebuild.SourceCredential("example",
    auth_type="PERSONAL_ACCESS_TOKEN",
    server_type="GITHUB",
    token="example")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codebuild"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := codebuild.NewSourceCredential(ctx, "example", &codebuild.SourceCredentialArgs{
			AuthType:   pulumi.String("PERSONAL_ACCESS_TOKEN"),
			ServerType: pulumi.String("GITHUB"),
			Token:      pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CodeBuild.SourceCredential("example", new()
    {
        AuthType = "PERSONAL_ACCESS_TOKEN",
        ServerType = "GITHUB",
        Token = "example",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codebuild.SourceCredential;
import com.pulumi.aws.codebuild.SourceCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SourceCredential("example", SourceCredentialArgs.builder()
            .authType("PERSONAL_ACCESS_TOKEN")
            .serverType("GITHUB")
            .token("example")
            .build());

    }
}

resources:
  example:
    type: aws:codebuild:SourceCredential
    properties:
      authType: PERSONAL_ACCESS_TOKEN
      serverType: GITHUB
      token: example

The authType property specifies PERSONAL_ACCESS_TOKEN for GitHub. The serverType identifies the source provider. The token contains your GitHub personal access token with appropriate repository scopes. CodeBuild projects in this region automatically use this credential when cloning GitHub repositories.

Authenticate with Bitbucket using basic auth

Bitbucket Server requires username and app password combinations.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.codebuild.SourceCredential("example", {
    authType: "BASIC_AUTH",
    serverType: "BITBUCKET",
    token: "example",
    userName: "test-user",
});

import pulumi
import pulumi_aws as aws

example = aws.codebuild.SourceCredential("example",
    auth_type="BASIC_AUTH",
    server_type="BITBUCKET",
    token="example",
    user_name="test-user")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codebuild"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := codebuild.NewSourceCredential(ctx, "example", &codebuild.SourceCredentialArgs{
			AuthType:   pulumi.String("BASIC_AUTH"),
			ServerType: pulumi.String("BITBUCKET"),
			Token:      pulumi.String("example"),
			UserName:   pulumi.String("test-user"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CodeBuild.SourceCredential("example", new()
    {
        AuthType = "BASIC_AUTH",
        ServerType = "BITBUCKET",
        Token = "example",
        UserName = "test-user",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codebuild.SourceCredential;
import com.pulumi.aws.codebuild.SourceCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SourceCredential("example", SourceCredentialArgs.builder()
            .authType("BASIC_AUTH")
            .serverType("BITBUCKET")
            .token("example")
            .userName("test-user")
            .build());

    }
}

resources:
  example:
    type: aws:codebuild:SourceCredential
    properties:
      authType: BASIC_AUTH
      serverType: BITBUCKET
      token: example
      userName: test-user

The authType switches to BASIC_AUTH for Bitbucket. The userName property holds your Bitbucket username. The token contains the app password, not your account password. This authentication method is specific to Bitbucket; other providers don’t use the userName property.

Reference an AWS CodeStar Connection

Teams using CodeStar Connections can reference the connection ARN instead of managing tokens.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.codebuild.SourceCredential("example", {
    authType: "CODECONNECTIONS",
    serverType: "GITHUB",
    token: "arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string",
});

import pulumi
import pulumi_aws as aws

example = aws.codebuild.SourceCredential("example",
    auth_type="CODECONNECTIONS",
    server_type="GITHUB",
    token="arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/codebuild"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := codebuild.NewSourceCredential(ctx, "example", &codebuild.SourceCredentialArgs{
			AuthType:   pulumi.String("CODECONNECTIONS"),
			ServerType: pulumi.String("GITHUB"),
			Token:      pulumi.String("arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CodeBuild.SourceCredential("example", new()
    {
        AuthType = "CODECONNECTIONS",
        ServerType = "GITHUB",
        Token = "arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.codebuild.SourceCredential;
import com.pulumi.aws.codebuild.SourceCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SourceCredential("example", SourceCredentialArgs.builder()
            .authType("CODECONNECTIONS")
            .serverType("GITHUB")
            .token("arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string")
            .build());

    }
}

resources:
  example:
    type: aws:codebuild:SourceCredential
    properties:
      authType: CODECONNECTIONS
      serverType: GITHUB
      token: arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string

The authType becomes CODECONNECTIONS to delegate authentication to AWS CodeStar. The token property holds the connection ARN rather than an actual token. You must create and approve the CodeStar Connection in the GitHub UI before CodeBuild can use it.

Beyond these examples

These snippets focus on specific credential storage features: GitHub and Bitbucket authentication methods, and CodeStar Connection integration. They’re intentionally minimal rather than complete CI/CD configurations.

The examples assume pre-existing infrastructure such as GitHub personal access tokens or Bitbucket app passwords, and AWS CodeStar Connections for CODECONNECTIONS auth. They focus on storing credentials rather than building complete build pipelines.

To keep things focused, credential patterns are omitted, including:

  • Secrets Manager integration (SECRETS_MANAGER auth type)
  • GitHub Enterprise Server configuration
  • Credential rotation and lifecycle management
  • Multiple credentials across regions

These omissions are intentional: the goal is to illustrate how each authentication method is wired, not provide drop-in CI/CD modules. See the CodeBuild SourceCredential resource reference for all available configuration options.

Let's configure AWS CodeBuild Source Credentials

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Limitations & Constraints
Can I create multiple credentials for the same source provider in one region?
No. CodeBuild only allows a single credential per server type (e.g., GITHUB) in a given region. When you define a SourceCredential, all Project resources in the same module will automatically use it.
Why can't I use OAUTH authentication?
OAUTH connections are not supported by the CodeBuild API. Use PERSONAL_ACCESS_TOKEN, BASIC_AUTH, CODECONNECTIONS, or SECRETS_MANAGER instead.
Authentication Configuration
What authentication types are supported?
CodeBuild supports four authentication types: BASIC_AUTH (Bitbucket username/password), PERSONAL_ACCESS_TOKEN (GitHub/GitHub Enterprise), CODECONNECTIONS (AWS CodeStar Connections), and SECRETS_MANAGER. OAUTH is not supported.
What should I use for the token field?

The token field varies by authentication type:

  • GitHub/GitHub Enterprise: Personal access token
  • Bitbucket: App password
  • CodeStar Connection: CodeStar Connection ARN (e.g., arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string)
When do I need to provide a userName?
Only when using Bitbucket with BASIC_AUTH. The userName parameter is not valid for other source providers or authentication types.
Immutability & Updates
What properties can't be changed after creation?
The authType, serverType, token, and userName properties are all immutable. Changing any of these requires replacing the resource.

Using a different cloud?

Explore integration guides for other cloud providers:

Azure Guides GCP Guides