Geek Answers Handbook

Use the appropriate ECS credentials to work with CodeBuild

I am trying to use the CodeBuild service role in my mvn command, but does not seem to be collecting the appropriate IAM permissions. I am using the s3-wagon-private plugin , which seems to be using the latest version of DefaultAWSCredentialsProviderChain , which includes EC2ContainerCredentialsProviderWrapper , so I thought it should use the CodeBuild role in the CodeBuild container. This role has the appropriate permissions for S3 replication, with which I am trying to access using s3-wagon-private.

But it seems that without using the Clojure project and project.cloj, it will not use DefaultAWSCredentialsProviderChain by default. I looked at Spring AWS Maven and Maven S3 Wagon , but both use the DefaultAWSCredentialsProviderChain version before adding ECS โ€‹โ€‹credentials (AWS SDK ~ 1.11.14) and have not seen many updates for them, so itโ€™s not too sure that we could update the SDK / test / released.

Does anyone know of a simple way to use S3 as a maven repo with the latest version of DefaultCredentialProviderChain ?

+1
maven aws-codebuild
source share
2 answers

My workaround is to put the settings.xml file in the S3 bucket, limited to my CodeBuild role. Then in my buildspec.yaml file add the following:

 phases: build: commands: - aws s3 cp s3://MY_SECURE_BUCKET/settings.xml ~/.m2/settings.xml - ls -lhr ~/.m2/settings.xml - mvn -s ~/.m2/settings.xml package

The CodeBuild user has no problem capturing the settings.xml file from S3 using the IAM container role, and the settings.xml file contains the AWS key / secret for a user who has access only to S3 maven repo:

  <server> <id>s3repo</id> <username>MYKEY</username> <password>MYSECRET</password> </server>

And then I use the maven-s3-wagon plugin and declare <repository> with <id>s3repo</id> , and my maven settings are fine.

This solution includes an additional step in the assembly, creating an additional IAM user with maven-repo-only (although you may already have one) and saving the additional file in S3; but it works great and seems safe. But if someone can find a way to get the maven repo out of S3 using IAM container loans, send another solution.

+1
source share

When using AWS containers (e.g. CodeBuild). Instance metadata is in a different place than the usual http://169.254.169.254/latest/meta-data/

Instead. AWS sets the $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable, which points to the correct URI for metadata. This is required for the AWS SDK and other tools to accept the IAM role.

Valid AWS container url:

 http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

The currently supported AWS SDK supports this feature, but there may be a flaw in older tools. The AWS instance metadata documentation explains this in more detail.

0
source share

More articles:


All Articles