Closed joekiller closed 5 years ago
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is only available within the context of CodeBuild on AWS cloud. How are you using environment variable within your builds? How does it effect your local builds? A buildspec sample would be great.
Our primary use case pretty much exactly what is outlined in the Troubleshooting CodeBuild Error: "Unable to Locate Credentials" link I posted prior. We pass the IAM role of the build to our docker image being built or run. The docker image maybe creating an artifact or be the artifact itself.
For example the role is used for to resolve python pip requirements.txt entries like git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-awesome-project@master#egg=my-awesome-project
which relies on the CodeCommit AWS CLI Credential Helper to access the repository.
Another way the role is used is via s3-wagon-private which allows maven dependencies to live on s3 buckets and the dependency tool resolves permissions via the IAM role.
Currently Local CodeBuild lets me use the -c
switch which works fine for enabling a "role" for code running in the build space itself but not if we want to run our docker builds with an IAM/credential enabled environment.
A typical buildspec is:
version: 0.2
env:
variables:
FN_NAME: "my-awesome-function"
phases:
install:
commands:
- mkdir -p target
- printenv >> target/metadata
build:
commands:
- docker build -t ${FN_NAME} .
- docker run -e AWS_REGION=${AWS_REGION} -e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} -e AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} -e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} -v $(pwd)/target:/tmp/target ${FN_NAME}
artifacts:
files:
- '**/*'
base-directory: target
or
version: 0.2
env:
variables:
FN_NAME: "my-awesome-function"
phases:
install:
commands:
- mkdir -p target
- printenv >> target/metadata
build:
commands:
- docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -t ${FN_NAME} .
- docker run -v $(pwd)/target:/tmp/target ${FN_NAME} cp /opt/artifact.zip /tmp/target/
artifacts:
files:
- '**/*'
base-directory: target
Ideally if I pass -c
to CodeBuild Local then AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
has a little service that passes the "role" along.
Typically we work around this problem in a "local build" because we just run the docker build locally and mount in our .aws directory via -v ~/.aws:/root/.aws:ro
. Adding the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
would allow us to adopt using CodeBuild Local for our build flow thus reducing ops build message commit hell.
Y'all should grab something from the recent ECS local service: https://aws.amazon.com/blogs/compute/a-guide-to-locally-testing-containers-with-amazon-ecs-local-endpoints-and-docker-compose/
Hi I was able to get everything working by running the ECS Local Container Endpoints and updating my iptables to route requests to it per
https://github.com/awslabs/amazon-ecs-local-container-endpoints#option-2-set-up-iptables-rules
I also had to provide an environment variable file:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/creds
And then I could run:
codebuild_build.sh -c -i 'aws/codebuild/docker:18.09.0' -a /tmp -e local_build_env
And even my docker containers got IAM credentials. Local CodeBuild nirvana!
PS on macOS you can do
sudo ifconfig lo0 alias 169.254.170.2 255.255.255.255
and then
docker run -d -p 80:51679 \
-v /var/run:/var/run \
-v $HOME/.aws/:/home/.aws/ \
-e "ECS_LOCAL_METADATA_PORT=51679" \
--name ecs-local-endpoints \
amazon/amazon-ecs-local-container-endpoints:latest
and that should make it work on docker desktop for macos.
to remove the alias do
sudo ifconfig lo0 -alias 169.254.170.2
For those that have come here and here and are having trouble with SSO-based credentials, check out this issue for a fix: https://github.com/awslabs/amazon-ecs-local-container-endpoints/issues/51
We have several builds that pass the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
environment variable per Troubleshooting CodeBuild Error: "Unable to Locate Credentials"So when we try the following AWS_CONTAINER_CREDENTIALS_RELATIVE_URI isn't in the environment so I cannot test these builds locally.
Can you all update the local build to provide this service?