CodeBuild buildspec reports — Not authorized to perform: codebuild:CreateReportGroup

[mikestopcontinues]

I'm working on adding test reporting to my pipeline, but I'm getting an error using CodeBuild's Report Groups functionality. According to the docs, non-existent report groups are supposed to be created on the fly, but as you'll see, the privileges granted by CDK don't allow it.

Reproduction Steps

Here's the relevant section from buildspec.yml:

reports:
  arc-test-reports:
    file-format: JunitXml
    base-directory: .test
    files:
      - .test/junit.xml

My CDK code is nothing special:

  stack.pipeline.addStage({
    stageName: 'Build',
    actions: [
      new CodeBuildAction({
        actionName: 'StackBuild',
        project: new PipelineProject(stack, 'DevStackBuild', {
          environment: {buildImage: LinuxBuildImage.AMAZON_LINUX_2_2},
          environmentVariables, // set elsewhere
          buildSpec: BuildSpec.fromSourceFilename('./infra/cdk/buildspec/stackBuild.yml'),
        }),
        input: stack.sourceArtifact,
        outputs: [stack.stackBuildArtifact],
      }),
    ],
  });

Error Log

CLIENT_ERROR: Error in UPLOAD_ARTIFACTS phase: [arc-test-reports: [error creating report group: AccessDeniedException: User: arn:aws:sts::215531866295:assumed-role/DevPipelineStack-DevStackBuildRole50F734AC-18GNOX97SSN7J/AWSCodeBuild-71e36eb0-07f4-4ed4-ae92-fc073405aaf2 is not authorized to perform: codebuild:CreateReportGroup on resource: arn:aws:codebuild:us-east-1:215531866295:report-group/DevStackBuildA1918915-iukT8k2ixC7W-arc-test-reports status code: 400, request id: b276f144-3697-409a-be20-c2af80de4c54]]

Environment

• CLI Version : 1.32.2
• Framework Version: 1.32.2
• Language : JavaScript

---

This is 🐛 Bug Report

[skinny85]

Hey @mikestopcontinues ,

I assume you need some extra permissions because of artifact uploads.

Try something like:

project.addToRolePolicy(new iam.PolicyStatement({
  actions: ['codebuild:CreateReportGroup'],
  resources: ['*'],
}));

maybe?

[mikestopcontinues]

Hey @skinny85 ,

Thanks! I solved it by creating the group with CfnReportGroup, but I genuinely think it's a bug, because it's a built-in buildspec feature. Shouldn't it be supported by default?

[mikestopcontinues]

Actually, creating a CfnReportGroup didn't work. :) I circled back, and this got it working:

  project.addToRolePolicy(new PolicyStatement({
    actions: [
      'codebuild:CreateReportGroup',
      'codebuild:CreateReport',
      'codebuild:BatchPutTestCases',
      'codebuild:UpdateReport',
    ],
    resources: ['*'],
  }));

[skinny85]

It would be awesome if we could do that automatically, but the problem is the buildspec file can be part of the source of the CodeBuild Project. So there's no way for us to analyze that, figure out you have this inside:

reports:
  arc-test-reports:
    file-format: JunitXml
    base-directory: .test
    files:
      - .test/junit.xml

and add that permission automatically.

I guess we could just always add that permission, to any CodeBuild project, if you ever do decide to use test reports...

[mikestopcontinues]

I see how it's a violation of least privilege. Have you implemented any similar workarounds? What about an .addReportSupport() method? I hesitate to offer a PR on any front, given how much I don't know in this area, but I would be happy to add a docs PR if you don't want to go with any code-based solution.

[skinny85]

I'm working on this right now... let's see what I come up with :).