search

aws / aws-codebuild-docker-images

Official AWS CodeBuild repository for managed Docker images http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html
Other
1.12k stars 978 forks source link

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI not provided for Local CodeBuild #179

Closed joekiller closed 5 years ago

joekiller commented 5 years ago

We have several builds that pass the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable per Troubleshooting CodeBuild Error: "Unable to Locate Credentials"

So when we try the following AWS_CONTAINER_CREDENTIALS_RELATIVE_URI isn't in the environment so I cannot test these builds locally.

docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -t your-image-tag .

Can you all update the local build to provide this service?

subinataws commented 5 years ago

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is only available within the context of CodeBuild on AWS cloud. How are you using environment variable within your builds? How does it effect your local builds? A buildspec sample would be great.

joekiller commented 5 years ago

Our primary use case pretty much exactly what is outlined in the Troubleshooting CodeBuild Error: "Unable to Locate Credentials" link I posted prior. We pass the IAM role of the build to our docker image being built or run. The docker image maybe creating an artifact or be the artifact itself.

For example the role is used for to resolve python pip requirements.txt entries like git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-awesome-project@master#egg=my-awesome-project which relies on the CodeCommit AWS CLI Credential Helper to access the repository.

Another way the role is used is via s3-wagon-private which allows maven dependencies to live on s3 buckets and the dependency tool resolves permissions via the IAM role.

Currently Local CodeBuild lets me use the -c switch which works fine for enabling a "role" for code running in the build space itself but not if we want to run our docker builds with an IAM/credential enabled environment.

A typical buildspec is:

version: 0.2

env:
  variables:
    FN_NAME: "my-awesome-function"

phases:
  install:
    commands:
      - mkdir -p target
      - printenv >> target/metadata
  build:
    commands:
      - docker build -t ${FN_NAME} .
      - docker run -e AWS_REGION=${AWS_REGION} -e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} -e AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} -e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} -v $(pwd)/target:/tmp/target ${FN_NAME}

artifacts:
  files:
    - '**/*'
  base-directory: target

or

version: 0.2

env:
  variables:
    FN_NAME: "my-awesome-function"

phases:
  install:
    commands:
      - mkdir -p target
      - printenv >> target/metadata
  build:
    commands:
      - docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -t ${FN_NAME} .
      - docker run -v $(pwd)/target:/tmp/target ${FN_NAME} cp /opt/artifact.zip /tmp/target/

artifacts:
  files:
    - '**/*'
  base-directory: target

Ideally if I pass -c to CodeBuild Local then AWS_CONTAINER_CREDENTIALS_RELATIVE_URI has a little service that passes the "role" along.

joekiller commented 5 years ago

Typically we work around this problem in a "local build" because we just run the docker build locally and mount in our .aws directory via -v ~/.aws:/root/.aws:ro. Adding the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI would allow us to adopt using CodeBuild Local for our build flow thus reducing ops build message commit hell.

joekiller commented 5 years ago

Y'all should grab something from the recent ECS local service: https://aws.amazon.com/blogs/compute/a-guide-to-locally-testing-containers-with-amazon-ecs-local-endpoints-and-docker-compose/

joekiller commented 5 years ago

Hi I was able to get everything working by running the ECS Local Container Endpoints and updating my iptables to route requests to it per

https://github.com/awslabs/amazon-ecs-local-container-endpoints#option-2-set-up-iptables-rules

I also had to provide an environment variable file:

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/creds

And then I could run:

codebuild_build.sh -c -i 'aws/codebuild/docker:18.09.0' -a /tmp -e local_build_env

And even my docker containers got IAM credentials. Local CodeBuild nirvana!

joekiller commented 5 years ago

PS on macOS you can do

sudo ifconfig lo0 alias 169.254.170.2 255.255.255.255

and then

docker run -d -p 80:51679 \
-v /var/run:/var/run \
-v $HOME/.aws/:/home/.aws/ \
-e "ECS_LOCAL_METADATA_PORT=51679" \
--name ecs-local-endpoints \
amazon/amazon-ecs-local-container-endpoints:latest

and that should make it work on docker desktop for macos.

to remove the alias do 

sudo ifconfig lo0 -alias 169.254.170.2
alexanderpolson commented 1 year ago

For those that have come here and here and are having trouble with SSO-based credentials, check out this issue for a fix: https://github.com/awslabs/amazon-ecs-local-container-endpoints/issues/51