Enable additional IAM policies for pipeline's "build" stage

[danieloldberg]

Is there a way to add additional policies to copilot roles?
I currently have a need to add IAM policy to enable codebuild role to pull down from CodeArtifact.
Tried to find something in the docs but couldn't find anything.

[efekarakus]

Heya @danieloldberg !

Hmm that's interesting, that'd be a new feature requests for us to enable additional policies to the build stage.

We have a way of adding additional IAM policies to the Task Role through the additional AWS resources feature: https://aws.github.io/copilot-cli/docs/developing/additional-aws-resources/ but that doesn't seem to be what you're asking for.

[sekamaneka]

I also need to pull something from an existing S3 bucket in the codebuild stage. I didn't find a way to do that. Adding IAM policies would help me very much!

[davivcgarcia]

I was also looking for this! My use case is to have the Build stage (CodeBuild) to get values from SSM/ParameterStore or SecretsManager, and for that I need to have specific IAM permissions added to CodeBuild, such as ssm:GetParameters or secretsmanager:GetSecretValue.

[gautam-nutalapati]

I was also looking for this! My use case is to have the Build stage (CodeBuild) to get values from SSM/ParameterStore or SecretsManager, and for that I need to have specific IAM permissions added to CodeBuild, such as ssm:GetParameters or secretsmanager:GetSecretValue.

Same here, we need this feature to get docker credentials stored as secrets in build pipeline. Driving force behind this is 'rate limiting implemented by docker hub'
Update: In case it's useful for anyone else, We ended up using SSM to store secrets for now. As copilot BuildProjectRole contains SSM READ permissions, it works perfectly.

[gautam-nutalapati]

Related #2755

[Lou1415926]

Closing this because #3709 resovles this!