Skip to content
Latchkey

Fix: CodeBuild Runner Credentials, OIDC, and Token Expiry

Two credential surfaces trip up CodeBuild runners: how CodeBuild authenticates to GitHub, and the one-hour runner-token expiry during long setup phases.

According to AWS CodeBuild docs, CodeBuild-hosted runners involve two separate credential concerns: connecting CodeBuild to GitHub, and the short-lived runner registration token used to bring up the ephemeral runner. This page covers both, plus how AWS access differs from GitHub OIDC on self-hosted runners.

Connecting CodeBuild to GitHub

According to AWS docs, CodeBuild connects to GitHub using a personal access token, a Secrets Manager secret, an OAuth app, or a GitHub App. OAuth connections must be configured in the CodeBuild console. A failed or expired connection means the webhook cannot start builds, so re-check the connection first when nothing triggers.

The one-hour runner-token expiry

According to AWS docs, when you use buildspec-override:true, CodeBuild fetches the runner token during the DOWNLOAD_SOURCE phase, and that token expires after one hour. If your INSTALL or PRE_BUILD phases run longer than an hour, the token can expire before the GitHub self-hosted runner starts, so keep pre-runner setup short or move heavy setup into workflow steps.

Buildspec-override failure semantics

According to AWS docs, with buildspec-override:true a command failure in the PRE_BUILD or INSTALL phase means CodeBuild will not start the self-hosted runner, and the GitHub Actions workflow job must then be cancelled manually. Watch those phases when a job hangs with an override enabled.

AWS credentials vs GitHub OIDC

Because a CodeBuild runner build runs under the CodeBuild IAM service role, jobs can use that role for AWS access instead of GitHub OIDC federation. According to AWS docs, this is a strength for AWS-native pipelines, but it means AWS access is governed by the CodeBuild role you scope, not by an OIDC trust policy. If you were relying on GitHub OIDC to assume an AWS role, confirm which credential path your steps actually use on CodeBuild.

The managed contrast

Fully-managed runners like Latchkey do not require you to manage a CodeBuild-to-GitHub connection or a runner registration token; the platform handles runner registration. For AWS access you would still use your normal GitHub OIDC or secrets, since Latchkey is not AWS-native.

Frequently asked questions

Why does my CodeBuild runner never come up after a long install step?
According to AWS docs, with buildspec-override:true the runner token is fetched in DOWNLOAD_SOURCE and expires after one hour, so an INSTALL or PRE_BUILD phase longer than an hour can expire it before the runner starts. Shorten pre-runner setup or move it into workflow steps.
Where can I verify these CodeBuild details?
These points come from AWS CodeBuild docs and the AWS CodeBuild pricing page (reviewed 2026-07-02). AWS pricing varies by Region and compute type and changes over time, so verify current rates and free-tier terms on the AWS pricing page before you budget. Primary sources: AWS CodeBuild docs, "Configure a CodeBuild-hosted GitHub Actions runner": https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html | AWS CodeBuild docs, "Troubleshoot the webhook": https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner-troubleshoot-webhook.html | AWS CodeBuild docs, "Compute images supported with the CodeBuild-hosted GitHub Actions runner": https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-action-runners-update-yaml.images.html | AWS CodeBuild pricing: https://aws.amazon.com/codebuild/pricing/ | AWS CodeBuild docs, "Quotas for AWS CodeBuild": https://docs.aws.amazon.com/codebuild/latest/userguide/limits.html

Related guides

See what you would save - Latchkey managed runners with self-healing. Start free →