Fix: CodeBuild Runner IAM Service Role Permission Errors
CodeBuild runs under an IAM service role you own. When a build fails on permissions, the role is usually missing one scoped action.
According to AWS CodeBuild docs, a CodeBuild project runs under an IAM service role, and that role needs the right permissions to log output, store artifacts, read secrets, and (for deployment protection) read GitHub state. This page covers the permission errors specific to CodeBuild-hosted GitHub Actions runners.
The service role is yours to scope
According to AWS docs, CodeBuild uses an IAM service role to act on your behalf, needing permissions for services it touches such as CloudWatch Logs for build output and Amazon S3 for artifacts. A build that starts but fails writing logs or artifacts usually points at a missing action on this role.
GitHub Enterprise Server needs secret access
According to AWS guidance, when connecting to GitHub Enterprise Server using a stored secret, the CodeBuild service role needs GetSecretValue permission to read the authentication secret from Secrets Manager. Without it, the connection to your GHES instance fails.
Deployment protection rules need read on deployments and actions
According to AWS docs, when your GitHub Actions use deployment protection rules, CodeBuild fetches the associated deployment and environment to verify approval. If it cannot fetch either, the build may be triggered prematurely. AWS advises verifying that the credentials associated with your CodeBuild project have read permissions for deployments and actions within GitHub.
VPC-related EC2 permissions
According to AWS docs, if the project runs in a VPC and the role lacks the needed EC2 permissions, you can see an Unexpected EC2 error: UnauthorizedOperation. That is a VPC-plus-IAM issue; see the VPC networking page for the full network side.