CodePipeline: orchestrating delivery
Stages, actions, artifacts, approvals, secure roles.
AWS DevOps begins with automated delivery, and CodePipeline is the orchestration service that models a release as a sequence of stages. Understanding how it chains source, build, test, and deploy is the foundation for everything else.
Stages, actions, and artifacts
A pipeline is an ordered set of stages, each containing actions — source (pull from CodeCommit, GitHub, or S3), build (CodeBuild), test, deploy (CodeDeploy, CloudFormation, ECS), and approvals. Artifacts flow between stages through an S3 artifact bucket: a build produces an artifact that the deploy stage consumes. You can add a manual approval action to gate promotion to production, and parallel actions to run independent steps together. The pipeline reacts automatically to source changes, so a commit flows through build, test, and deploy without manual steps — the core of continuous delivery on AWS.
Source → pull code (CodeCommit / GitHub / S3) → artifactBuild → CodeBuild (compile, unit test, package) → artifactTest → integration tests / security scans (fail = stop)Approve → manual approval gate before prodDeploy → CodeDeploy / CloudFormation / ECS# Artifacts pass between stages via an S3 bucket; the pipeline runs on every# source change, automatically.
Least privilege and security in the pipeline
The pipeline is powerful — it can deploy to production — so secure it accordingly. Give CodePipeline and CodeBuild scoped IAM roles with only the permissions each stage needs, never long-lived keys, and for external CI use OIDC federation instead of stored credentials. Integrate security scanning (SAST, dependency, and image scans) as pipeline stages that can fail the build, shifting security left so vulnerabilities are caught before deploy. Store configuration and secrets in Parameter Store or Secrets Manager and fetch them at build/deploy time via the role, not baked into artifacts. A well-designed pipeline is both fast and a security control.