Pass AWS CodeBuild IAM Role inside Docker container [unable to locate credentials]

Asked 5/2, 2020 at 8:58 Answered 19/8, 2021 at 8:28

amazon-web-services amazon-iam aws-codepipeline aws-codebuild

The role configured on CodeBuild project works fine with the runtime environment but doesn't work when we run a command from inside the container, it says "unable to locate credentials".
Let me know how can we use the role out of the box inside the container.

Bankruptcy answered 5/2, 2020 at 8:58 Comment(2)

You can pass the credentials as environment variable and then consume them while running – Grisaille 5/2, 2020 at 9:10

I do not want to pass it as an environment variable. Ideally the container runtime must have that role attached similar to how it works in ECS as task role. – Bankruptcy 5/2, 2020 at 9:18

You can make use of credential source "EcsContainer" to assume role seamlessly without having to export new credentials in your buildspec.yml.

credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile. Valid values are:

Environment to pull source credentials from environment variables.

Ec2InstanceMetadata to use the EC2 instance role as source credentials.

EcsContainer to use the ECS container credentials as the source credentials.

From: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

Steps:

Step-0: Create a new Role 'arn:aws:iam::0000000000:role/RoleToBeAssumed' and attach required policies to provide the permission required for the commands you are running during the build.

Step-1: Add sts:assumeRole permissions to your CodeBuild Service Role. Here is a sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "arn:aws:iam::0000000000:role/RoleToBeAssumed"
        }
    ]
}

Step-2: Configure your build container to use the credential metadata as source for assuming the role. Here is a buildspec example:

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 8
    commands:
      - aws sts get-caller-identity
      - mkdir ~/.aws/ && touch ~/.aws/config
      - echo "[profile buildprofile]" > ~/.aws/config
      - echo "role_arn = arn:aws:iam::0000000000:role/RoleToBeAssumed" >> ~/.aws/config
      - echo "credential_source = EcsContainer" >> ~/.aws/config
      - aws sts get-caller-identity --profile buildprofile

Lesotho answered 6/2, 2020 at 0:37 Comment(2)

Thank you 🚀, very clean and helpful – Periodontics 9/3, 2020 at 12:31

In addition, I had to configure the assume policy document of the RoleToBeAssumed to allow the CodeBuild role to assume it. – Instead 20/2, 2022 at 9:6

If you need to run a Docker container in a build environment and the container requires AWS credentials, you must pass through the credentials from the build environment to the container.

docker run -e AWS_DEFAULT_REGION -e AWS_CONTAINER_CREDENTIALS_RELATIVE_URI your-image-tag aws s3 ls

https://docs.aws.amazon.com/codebuild/latest/userguide/troubleshooting.html#troubleshooting-versions

Undercoating answered 24/6, 2020 at 15:13 Comment(0)

Another way is to assume the role manually and export the auth tokens. Make sure you have ASSUME_ROLE_ARN available as environment variable -

commands:
  - TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name temp`
  - export TEMP_ROLE 
  - export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
  - export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
  - export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
  - docker push $ECR_IMAGE_URL:$IMAGE_TAG

Bankruptcy answered 19/8, 2021 at 8:28 Comment(0)

Recommended topics

Hot tags