AWS CodeBuild fails to interact with RDS instance

Asked 10/3, 2018 at 19:56 Answered 26/5, 2022 at 7:8

Solved php amazon-web-services amazon-rds aws-codebuild

I have the most basic setup in AWS:

a publicly accessible RDS instance (PostgreSQL 9.6.6 - same as my development one)
a CodeBuild project

both in the default VPC.

My application is written in Laravel 5.5 and the buildspec.yml runs ./artisan migrate --force at some point and CodeBuild outputs the following error:

[Container] 2018/03/10 19:41:36 Running command php artisan migrate --force

[Illuminate\Database\QueryException] 
SQLSTATE[08006] [7] timeout expired (SQL: select * from information_schema. 
tables where table_schema = public and table_name = migrations)     

[Doctrine\DBAL\Driver\PDOException] 
SQLSTATE[08006] [7] timeout expired    

[PDOException] 
SQLSTATE[08006] [7] timeout expired

Where should I start looking for an error?

Sectarian answered 10/3, 2018 at 19:56 Comment(4)

What is your RDS security group looks like? is it open to code build? you can find the IP ranges here for code build ip-ranges.amazonaws.com/ip-ranges.json – Viperine 10/3, 2018 at 20:3

@SudharsanSivasankaran I just used the default security group created by RDS. The inbound rule is 86.127.247.14/32 and outbound rule is 0.0.0.0/0 – Sectarian 10/3, 2018 at 20:13

So, it means only 86.127.247.14 can access your DB, go here ip-ranges.amazonaws.com/ip-ranges.json, search for CODEBUILD and choose your region, add that IP to the inbound rule and then give it a try? – Viperine 10/3, 2018 at 20:20

@SudharsanSivasankaran could you please post that as an answer so I can accept it? I will edit your answer to add some information so people can be aware of these things – Sectarian 10/3, 2018 at 20:35

You need to make sure that the RDS security group allows inbound traffic from Code Build.

Go to https://ip-ranges.amazonaws.com/ip-ranges.json
Search for CODEBUILD and choose your region.
Add the IP to the inbound rule in the RDS Security Groups.

Viperine answered 10/3, 2018 at 20:50 Comment(2)

I've seen this advice in a couple places. Isn't this somewhat of a security issue? Wouldn't this mean anyone using CodeBuild in that region can potentially access your DB (although they would still need credentials)? – Goose 5/4, 2021 at 1:8

Good question, but not exactly. The request from someone else's CodeBuild environment would also need to be able to route requests to your RDS. – Duma 15/4, 2021 at 18:37

Create a Security Group for Code Build and reference it as a source from the DBSecurity Group.

Coadjutor answered 26/5, 2022 at 7:8 Comment(1)

That's true, but this only helps if you already had known the details beforehand, and i.e. forgot or lost track, and just needed a quick reminder. But for readers who have no idea what's happening - it tell them nothing. So, dear reader, be sure to see answer from "Mar 10, 2018 at 20:50" by "Sudharsan Sivasankaran's" – Gustaf 9/7, 2023 at 9:54

Recommended topics

Hot tags