Fix: CodeBuild Runner Credentials, OIDC, and Token Expiry
Two credential surfaces trip up CodeBuild runners: how CodeBuild authenticates to GitHub, and the one-hour runner-token expiry during long setup phases.
According to AWS CodeBuild docs, CodeBuild-hosted runners involve two separate credential concerns: connecting CodeBuild to GitHub, and the short-lived runner registration token used to bring up the ephemeral runner. This page covers both, plus how AWS access differs from GitHub OIDC on self-hosted runners.
Connecting CodeBuild to GitHub
According to AWS docs, CodeBuild connects to GitHub using a personal access token, a Secrets Manager secret, an OAuth app, or a GitHub App. OAuth connections must be configured in the CodeBuild console. A failed or expired connection means the webhook cannot start builds, so re-check the connection first when nothing triggers.
The one-hour runner-token expiry
According to AWS docs, when you use buildspec-override:true, CodeBuild fetches the runner token during the DOWNLOAD_SOURCE phase, and that token expires after one hour. If your INSTALL or PRE_BUILD phases run longer than an hour, the token can expire before the GitHub self-hosted runner starts, so keep pre-runner setup short or move heavy setup into workflow steps.
Buildspec-override failure semantics
According to AWS docs, with buildspec-override:true a command failure in the PRE_BUILD or INSTALL phase means CodeBuild will not start the self-hosted runner, and the GitHub Actions workflow job must then be cancelled manually. Watch those phases when a job hangs with an override enabled.
AWS credentials vs GitHub OIDC
Because a CodeBuild runner build runs under the CodeBuild IAM service role, jobs can use that role for AWS access instead of GitHub OIDC federation. According to AWS docs, this is a strength for AWS-native pipelines, but it means AWS access is governed by the CodeBuild role you scope, not by an OIDC trust policy. If you were relying on GitHub OIDC to assume an AWS role, confirm which credential path your steps actually use on CodeBuild.
The managed contrast
Fully-managed runners like Latchkey do not require you to manage a CodeBuild-to-GitHub connection or a runner registration token; the platform handles runner registration. For AWS access you would still use your normal GitHub OIDC or secrets, since Latchkey is not AWS-native.