I would like to build with non-root user. To achieve this I'm looking at run-as build spec.

run-as: Optional sequence. Available to Linux users only. Specifies a Linux user that runs commands in this buildspec file. run-as grants the specified user read and execute permissions. When you specify run-as at the top of the buildspec file, it applies globally to all commands. If you don't want to specify a user for all buildspec file commands, you can specify one for commands in a phase by using run-as in one of the phases blocks. If run-as is not specified, then all commands run as the root.

1. How do I create the non-root user to put in run-as?
2. Where do I create that user?
3. What permissions I need to set since the cloned source files from git are owned by root?

Go to aws-codebuild-docker-images, find the docker file for the environment image you are using, and in the docker file, you can see the user that is added to to build environement.

Im my case, I was using ubuntu/standard/3.0, so I could find the user here:

RUN useradd codebuild-user

So to switch to a non root user, you can do:

run-as: codebuild-user

To create a new user (on ubuntu-like Linux systems) the trick is to use adduser --gecos GECOS --disabled-password .... Then you can run-as that user in specific phases.

Note that CodeBuild run-as does not set $HOME so you must explicitly set that.

version: 0.2
phases:
  pre_build:
    commands:
      - adduser --gecos GECOS --disabled-password test-user-1
      - adduser --gecos GECOS --disabled-password test-user-2
  build:
    run-as: test-user-1
    commands:
      - whoami
      - export HOME=/home/test-user-1

Or as mentioned, CodeBuild provides a default non-root user named codebuild-user.

See also: https://mcmap.net/q/973378/-aws-codebuild-as-non-root-user

You can define the linux user you want to run the build script in your buildspec.yml

version: 0.2
run-as: Linux-user-name

Ref: https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html