Skip to main content
HashnodeMicroservice

Command Palette

Search for a command to run...

How AWS CodePipeline and CodeBuild Work Behind the Scenes

Updated
2 min read
S
Suraj Pro

When I first started learning AWS CI/CD, I was confused about what actually happens after a GitHub push.

Does CodePipeline build the code?

Where does the build run?

How does CodeBuild get permission to access AWS resources?

After working through it, this is the flow I understood.

The Complete Flow

GitHub Push
    ↓
CodePipeline
    ↓
CodeBuild
    ↓
Temporary Build Container
    ↓
Runs buildspec.yml
    ↓
Accesses AWS Services

1. CodePipeline Invokes CodeBuild

Many beginners assume CodePipeline performs the build itself.

It doesn't.

CodePipeline acts as an orchestrator.

Its job is to define the stages of the pipeline and trigger the appropriate services.

For example:

Source Stage (GitHub)
        ↓
Build Stage (CodeBuild)
        ↓
Deploy Stage

When code is pushed to GitHub, CodePipeline detects the change and tells CodeBuild:

Start the build process.

At this point, CodeBuild takes over.

2. AWS Provides the Build Environment

Once CodeBuild starts, AWS creates a temporary build environment.

When creating a CodeBuild project, you choose a build image such as:

  • Standard Linux image

  • Ubuntu image

  • Amazon Linux image

  • Custom Docker image

Examples:

aws/codebuild/standard:7.0
aws/codebuild/amazonlinux-x86_64-standard:5.0

AWS launches a temporary container using the selected image.

Inside that container, common development tools are already installed, such as:

Git, Docker, Node, Java, Python, AWS CLI

Depending on the image, additional tools may also be available.

3. CodeBuild Executes buildspec.yml

After the container starts, CodeBuild looks for the buildspec.yml file.

This file contains the instructions for the build process.

Example:

version: 0.2

phases: install: commands: - npm install

build: commands: - npm run build

CodeBuild executes these commands inside the temporary container.

4. How CodeBuild Gets Permission to Access AWS Resources

This was the part that confused me the most.

The build container itself has no permissions.

Instead, AWS attaches an IAM Service Role to the CodeBuild project.

The flow looks like this:

CodeBuild Project
        ↓
IAM Service Role
        ↓
AssumeRole
        ↓
Temporary AWS Credentials

During the build, AWS automatically provides temporary credentials based on that role.

Because of this, commands such as:

aws s3 cp file.txt s3://mybucket

or

aws ecr get-login-password

can access AWS resources.

The permissions depend entirely on what is allowed in the IAM role attached to the CodeBuild project.

#aws-codepipeline-codebuild-cicd-devops-cloudcomputing-github-awsdevops

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Microservice

5 posts