I'm currently successfully using codebuild for simple build tasks (in a non-vpc configuration).

But now I'm trying to run a build task that reads an SSM parameter value, and it's failing because it can't load any credentials, the apparent cause being:

com.amazonaws.auth.InstanceProfileCredentialsProvider@5754b242: Unable to load credentials from service endpoint

The IAM service-role I've allocated to the codebuild project does have ssm:GetParameters permission for the parameter that I'm trying to read (and if that were the problem, I'd expect to see an unauthorized message, rather than unable to load credentials).

I'm using the Java SDK to do the SSM GetParameter call, which I've confirmed does work for reading from SSM parameters when run from an EC2 instance, so I'm pretty sure the problem here is Codebuild.

To further diagnose the issue, I tried adding a build command to do a curl against the AWS instance metadata address:

curl 169.254.169.254/latest/meta-data/iam/info

Instead of returning the instance metadata like it would from a normal EC2 environment, it just times out.

So it seems like the root of the problem is that the codebuild environment doesn't work with the AWS metdata lookup address, which causes the AWS provider chain to not be able to look up credentials.

How can I read my SSM parameters from codebuild (without hardcoding or using environment variables for SDK credentials)?

May i ask you why you are not using the built-in approach of AWS CodeBuild? You are able to get parameters out of SSM through the build spec of your AWS CodeBuild project. The additional call through the Java SDK is obsolete in this case.

version: 0.2

env:
  parameter-store:
    key: "value"
    key: "value"

phases:
  build:
    commands:
      - command
      - command

parameter-store: Required if env is specified, and you want to retrieve custom environment variables stored in Amazon EC2 Systems Manager Parameter Store. Contains a mapping of key/value scalars, where each mapping represents a single custom environment variable stored in Amazon EC2 Systems Manager Parameter Store. key is the name you will use later in your build commands to refer to this custom environment variable, and value is the name of the custom environment variable stored in Amazon EC2 Systems Manager Parameter Store.

For more informations please check the Build Specification Reference for AWS CodeBuild

The answer from MaiKaY is the best solution to the problem of "how to get SSM parameter values into your build" (better for the buildspec to be bound to the name of the SSM parameter rather than code or build scripts).

But in case anyone else stumbles upon this question while dealing with the same issue - the problem was with the underlying code from the initial question, sort of related to the answer from Clare Liguori.

I was using a recent AWS SDK - but I wasn't using it the right way. I was using a simple constructor of the AWSSimpleSystemsManagementClient class, which is rarely the right thing to do.
The better way to construct your client is to use the AWSSimpleSystemsManagementClientBuilder class, like:

AWSSimpleSystemsManagementClientBuilder.standard().build()

Your AWS Java SDK is likely out of date. The minimum version for retrieving credentials in CodeBuild is 1.11.16. https://docs.aws.amazon.com/codebuild/latest/userguide/troubleshooting.html#troubleshooting-versions

Adding to MaiKaY answer, make sure the parameter in ssm parameter store is in secureString format and NOT in string. I struggled with this for days and finally added variables by Codebuild console which automatically stores in secureString