When I first started learning AWS CI/CD, I was confused about what actually happens after a GitHub push.
Does CodePipeline build the code?
Where does the build run?
How does CodeBuild get permission to access AWS resources?
After working through it, this is the flow I understood.
The Complete Flow
GitHub Push ↓ CodePipeline ↓ CodeBuild ↓ Temporary Build Container ↓ Runs buildspec.yml ↓ Accesses AWS Services
Many beginners assume CodePipeline performs the build itself.
It doesn't.
CodePipeline acts as an orchestrator.
Its job is to define the stages of the pipeline and trigger the appropriate services.
For example:
Source Stage (GitHub) ↓ Build Stage (CodeBuild) ↓ Deploy Stage
When code is pushed to GitHub, CodePipeline detects the change and tells CodeBuild:
Start the build process.
At this point, CodeBuild takes over.
Once CodeBuild starts, AWS creates a temporary build environment.
When creating a CodeBuild project, you choose a build image such as:
Standard Linux image
Ubuntu image
Amazon Linux image
Custom Docker image
Examples:
aws/codebuild/standard:7.0 aws/codebuild/amazonlinux-x86_64-standard:5.0
AWS launches a temporary container using the selected image.
Inside that container, common development tools are already installed, such as:
Git, Docker, Node, Java, Python, AWS CLI
Depending on the image, additional tools may also be available.
After the container starts, CodeBuild looks for the buildspec.yml file.
This file contains the instructions for the build process.
Example:
version: 0.2
phases: install: commands: - npm install
build: commands: - npm run build
CodeBuild executes these commands inside the temporary container.
This was the part that confused me the most.
The build container itself has no permissions.
Instead, AWS attaches an IAM Service Role to the CodeBuild project.
The flow looks like this:
CodeBuild Project ↓ IAM Service Role ↓ AssumeRole ↓ Temporary AWS Credentials
During the build, AWS automatically provides temporary credentials based on that role.
Because of this, commands such as:
aws s3 cp file.txt s3://mybucket
or
aws ecr get-login-password
can access AWS resources.
The permissions depend entirely on what is allowed in the IAM role attached to the CodeBuild project.
No responses yet.