AWS CodeBuild by non-root user using `run-as` build spec

Question

I would like to build with non-root user. To achieve this I'm looking at run-as build spec.

run-as: Optional sequence. Available to Linux users only. Specifies a Linux user that runs commands in this buildspec file. run-as grants the specified user read and execute permissions. When you specify run-as at the top of the buildspec file, it applies globally to all commands. If you don't want to specify a user for all buildspec file commands, you can specify one for commands in a phase by using run-as in one of the phases blocks. If run-as is not specified, then all commands run as the root.

1. How do I create the non-root user to put in run-as?
2. Where do I create that user?
3. What permissions I need to set since the cloned source files from git are owned by root?

Answer 1

Go to aws-codebuild-docker-images, find the docker file for the environment image you are using, and in the docker file, you can see the user that is added to to build environement.

Im my case, I was using ubuntu/standard/3.0, so I could find the user here:

RUN useradd codebuild-user

So to switch to a non root user, you can do:

run-as: codebuild-user