Skip to content
Latchkey

Fix: CodeBuild Runner IAM Service Role Permission Errors

CodeBuild runs under an IAM service role you own. When a build fails on permissions, the role is usually missing one scoped action.

According to AWS CodeBuild docs, a CodeBuild project runs under an IAM service role, and that role needs the right permissions to log output, store artifacts, read secrets, and (for deployment protection) read GitHub state. This page covers the permission errors specific to CodeBuild-hosted GitHub Actions runners.

The service role is yours to scope

According to AWS docs, CodeBuild uses an IAM service role to act on your behalf, needing permissions for services it touches such as CloudWatch Logs for build output and Amazon S3 for artifacts. A build that starts but fails writing logs or artifacts usually points at a missing action on this role.

GitHub Enterprise Server needs secret access

According to AWS guidance, when connecting to GitHub Enterprise Server using a stored secret, the CodeBuild service role needs GetSecretValue permission to read the authentication secret from Secrets Manager. Without it, the connection to your GHES instance fails.

Deployment protection rules need read on deployments and actions

According to AWS docs, when your GitHub Actions use deployment protection rules, CodeBuild fetches the associated deployment and environment to verify approval. If it cannot fetch either, the build may be triggered prematurely. AWS advises verifying that the credentials associated with your CodeBuild project have read permissions for deployments and actions within GitHub.

VPC-related EC2 permissions

According to AWS docs, if the project runs in a VPC and the role lacks the needed EC2 permissions, you can see an Unexpected EC2 error: UnauthorizedOperation. That is a VPC-plus-IAM issue; see the VPC networking page for the full network side.

Frequently asked questions

Why do deployment-gated jobs run before approval on CodeBuild?
According to AWS docs, CodeBuild checks the deployment and environment for approval, and if it cannot read them the build can trigger early. Grant the CodeBuild credentials read permissions for deployments and actions in GitHub.
Where can I verify these CodeBuild details?
These points come from AWS CodeBuild docs and the AWS CodeBuild pricing page (reviewed 2026-07-02). AWS pricing varies by Region and compute type and changes over time, so verify current rates and free-tier terms on the AWS pricing page before you budget. Primary sources: AWS CodeBuild docs, "Configure a CodeBuild-hosted GitHub Actions runner": https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html | AWS CodeBuild docs, "Troubleshoot the webhook": https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner-troubleshoot-webhook.html | AWS CodeBuild docs, "Compute images supported with the CodeBuild-hosted GitHub Actions runner": https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-action-runners-update-yaml.images.html | AWS CodeBuild pricing: https://aws.amazon.com/codebuild/pricing/ | AWS CodeBuild docs, "Quotas for AWS CodeBuild": https://docs.aws.amazon.com/codebuild/latest/userguide/limits.html

Related guides

See what you would save - Latchkey managed runners with self-healing. Start free →