aws-codepipeline-codebuildlisted

# AWS CodePipeline + CodeBuild These two services are tightly coupled in practice: CodePipeline orchestrates stages, CodeBuild does the build action. Most friction lives at the boundary (artifact handoff, IAM roles, source authentication). ## When to invoke **Symptoms:** - CodeBuild fails immediately with `CannotPullContainerError: pull access denied` for an ECR image. - A Lambda invoke action in CodePipeline hangs for 30+ minutes even though the function returns quickly. - `npm ci` / `pip install` / Maven dependency resolution dominates build time and the configured cache isn't helping. - The source action shows OAuth-style GitHub auth and we want to migrate to the modern GitHub App. - Cross-account deploy stage fails with assume-role errors. - Build succeeds but the next stage receives empty / missing artifacts. - A `buildspec.yml` referenced in CodeBuild silently runs without env vars from Parameter Store / Secrets Manager. - Pipeline service role attached an AWS-managed policy and we want to scope it down. ## Cross-cutting rules 1. **Always set `imagePullCredentialsType` explicitly when using ECR base images.** Default (`CODEBUILD`) requires an ECR repository policy trusting `codebuild.amazonaws.com`. Setting `SERVICE_ROLE` pulls under the project's IAM role — usually what you want. See [ECR base images](#ecr-base-images). 2. **Lambda actions are async from CodePipeline's perspective.** The Lambda MUST call `PutJobSuccessResult` / `PutJobFailureResult` before return