# AWS CodeBuild (https://depot.dev/docs/container-builds/integrations/aws-codebuild)

## Authentication

For AWS CodeBuild, you can use project or user access tokens for authenticating your build with Depot. We recommend using project tokens as they are scoped to the specific project and are owned by the organization.

### [Project token](/docs/cli/authentication#project-tokens)

You can inject project access tokens into the CodeBuild environment for `depot` CLI authentication. Project tokens are tied to a specific project in your organization and not a user.

### [User access token](/docs/cli/authentication#user-access-tokens)

You can inject a user access token into the CodeBuild environment for `depot` CLI authentication. User tokens are tied to a specific user and not a project. Therefore, it can be used to build all projects across all organizations which the user has access.

## Configuration

To build a Docker image from AWS CodeBuild, you must set the `DEPOT_TOKEN` environment variable by [injecting it from Secrets Manager](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#secrets-manager-build-spec). Note that you also need to grant your IAM service role for CodeBuild permission to access the secret.

```yaml
{
  'Version': '2012-10-17',
  'Statement':
    [
      {
        'Sid': 'Statement1',
        'Effect': 'Allow',
        'Action': 'secretsmanager:GetSecretValue',
        'Resource': '<arn-of-your-project-token-in-secrets-manager>',
      },
    ],
}
```

### CodeBuild EC2 compute type

With a project or user token stored in Secrets Manager, you can add the `DEPOT_TOKEN` environment variable to your `buildspec.yml` file, install the `depot` CLI, and run `depot build` to build your Docker image. The following example shows the configuration steps when using the EC2 compute type.

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'

phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
  build:
    commands:
      - depot build .
```

### CodeBuild Lambda compute type

The CodeBuild Lambda compute type requires installing the `depot` CLI in a different directory that is in the `$PATH` by default. The following example shows the configuration steps when using the Lambda compute type.

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'

phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/tmp/codebuild/bin" sh
  build:
    commands:
      - depot build .
```

**Note:** The CodeBuild Lambda compute type does not support privileged mode. Therefore, you cannot use the `--load` flag to load the image back into the Docker daemon as there is no Docker daemon running in the Lambda environment.

## Examples

### Build multi-platform images natively without emulation

This example shows how you can use the `--platform` flag to build a multi-platform image for Intel and Arm architectures natively without emulation.

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'

phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
  build:
    commands:
      - depot build --platform linux/amd64,linux/arm64 .
```

### Build and push to AWS ECR

This example demonstrates building and pushing a Docker image to AWS ECR from AWS CodeBuild via Depot.

Note that you need to grant your IAM service role for CodeBuild permission to access the ECR repository by adding the following statement to its IAM policy:

```json
{
  "Action": [
    "ecr:BatchCheckLayerAvailability",
    "ecr:CompleteLayerUpload",
    "ecr:GetAuthorizationToken",
    "ecr:InitiateLayerUpload",
    "ecr:PutImage",
    "ecr:UploadLayerPart"
  ],
  "Resource": "*",
  "Effect": "Allow"
}
```

### Logging into ECR with the EC2 compute type

When using the EC2 compute type in CodeBuild, you can login to your ECR registry with `docker login` via the [documented methods](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html#sample-docker-files) provided by ECR. To access `docker login`, you must make sure that you're CodeBuild environment is configured with Privileged mode turned on.

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'

phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region <your-aws-region> | docker login --username AWS --password-stdin <your-ecr-registry>
  build:
    commands:
      - depot build -t <your-ecr-registry>:<your-tag> --push .
```

### Logging into ECR with the Lambda compute type

You can build a Docker image with the Lambda compute type in CodeBuild and push it to ECR without using the `docker login` command by writing the Docker authentication file yourself at `$HOME/.docker/config.json` and use the [`--push`](/docs/cli/reference/container-builds#depot-build) flag. Note that you can't load the image back into the Docker daemon with the Lambda compute type.

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<your-project-token-secrets-manager-arn>'

phases:
  pre_build:
    commands:
      - ecr_stdin=$(aws ecr get-login-password --region <your-ecr-region>)
      - registry_auth=$(printf "AWS:$ecr_stdin" | openssl base64 -A)
      - mkdir $HOME/.docker
      - echo "{\"auths\":{\"<your-registry-url>\":{\"auth\":\"$registry_auth\"}}}" > $HOME/.docker/config.json
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/tmp/codebuild/bin" sh
  build:
    commands:
      - depot build -t <your-ecr-registry-url>:latest --push .
```

#### Obtaining an authenticated Docker config.json

Alternatively, you can copy a pre-configured, authenticated `config.json` by logging into the Docker registry and copying the `config.json` file.

```bash
$ docker login -u your-username
Password: <type your password>

$ cat ~/.docker/config.json
```

You can now copy the contents of the `config.json` file and use it in your CodeBuild configuration.

### Build and load the image back for testing

You can download the built container image into the workflow using the [`--load` flag](/docs/cli/reference/container-builds#depot-build).

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'

phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
  build:
    commands:
      - depot build --load .
```

### Build, push, and load the image back in one command

You can simultaneously push the built image to a registry and load it back into the CI job using the [`--load` and `--push`](/docs/cli/reference/container-builds#depot-build) flags together.

```yaml showLineNumbers
version: 0.2

env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'

phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region <your-aws-region> | docker login --username AWS --password-stdin <your-ecr-registry>
  build:
    commands:
      - depot build -t <your-ecr-registry>:<your-tag> --push --load .
```

## For AI Agents

The full site index is at [llms.txt](https://depot.dev/llms.txt). Append `.md` to any documentation, blog, changelog, or customer URL to fetch its markdown source directly.