emgarten
commented
5 years ago This sounds like a useful feature to me. Do you know what changes would be needed to make this happen?
Closed medianotion closed 5 years ago
emgarten
commented
5 years ago This sounds like a useful feature to me. Do you know what changes would be needed to make this happen?
medianotion
commented
5 years ago AWS SDKs have built-in functionality to first check these standardized environment variables for credentials:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_DEFAULT_REGION
These environment variables are automatically populated by the AWS EC2 when running under an IAM Role.
This check for credentials is automatically performed when the SDK constructor is not provided any credentials.
If Sleet is using the AWS SDK for S3, a possible change would be to support a sleet.json file that doesn’t require any credentials. Or has a setting for “useIAMRole”: “true”.
Sleet would then call the AmazonS3Client without any credentials and allow the SDK to find the credentials in the environment variables.
From: Justin Emgarten notifications@github.com Sent: Thursday, June 20, 2019 2:27 PM To: emgarten/Sleet Sleet@noreply.github.com Cc: medianotion david.hart@medianotion.com; Author author@noreply.github.com Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
This sounds like a useful feature to me. Do you know what changes would be needed to make this happen?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AIMMCF2YUIHVTNQ37GAG3MDP3PKWNA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGL7UA#issuecomment-504152016 , or mute the thread https://github.com/notifications/unsubscribe-auth/AIMMCF45IYIPZ5I3Z3SVEZLP3PKWNANCNFSM4HZ2M46A . https://github.com/notifications/beacon/AIMMCFY24QW4QNAG3ORBSQTP3PKWNA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGL7UA.gif
emgarten
commented
5 years ago Setting profileName in sleet.json is supported today. You can see the change here: https://github.com/emgarten/Sleet/pull/54/files
Does this work for your environment, or do you still need env var support?
medianotion
commented
5 years ago Yes, I need the environment variables. It is more secure because the IAM Role credentials that are set in the environment variables are short term credentials that expire. It saves the user of Sleet from having to create long term credentials that must be secured, rotated, etc.
From: Justin Emgarten notifications@github.com Sent: Thursday, June 20, 2019 4:20 PM To: emgarten/Sleet Sleet@noreply.github.com Cc: medianotion david.hart@medianotion.com; Author author@noreply.github.com Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Setting profileName in sleet.json is supported today. You can see the change here: https://github.com/emgarten/Sleet/pull/54/files
Does this work for your environment, or do you still need env var support?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AIMMCF2M3IL6YIJ6L2V6ODDP3PX7DA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGWONQ#issuecomment-504194870 , or mute the thread https://github.com/notifications/unsubscribe-auth/AIMMCFZITUOX2XIM7Y7RNADP3PX7DANCNFSM4HZ2M46A . https://github.com/notifications/beacon/AIMMCFYFSW252PXP66GMH6TP3PX7DA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGWONQ.gif
dpryden
commented
5 years ago I will just add that I'm currently evaluating using Sleet for a project I'm working on, and the lack of support for environment variables makes Sleet a non-starter for me.
In the specific case of a short-term credential (such as what sts:AssumeRole or sts:GetSessionToken returns), you need three pieces of information: the access key id, the access key secret, and the session token. Without the session token, the other two are insufficient to authenticate. The normal way that these get propagated is in environment variables, and the standard Amazon SDK classes already automatically detect the presence of these credentials and use them.
Unfortunately, if a profile is explicitly provided, it overrides the ambient credentials from the environment, which means that there is no way to include the session token, even if it is present. This is especially problematic in a situation where you have multiple Amazon accounts involved, since in a typical configuration, the credentials that can be selected using a profile would not have sufficient permissions to actually interact with an S3 bucket in a different account.
Separately from that, if running on an EC2 instance with an Instance Role assigned, the credentials that you want to use will need to be retrieved from the EC2 metadata API. The Amazon SDK classes already know about this and will fall back to the Instance Profile service on the metadata API endpoint automatically if no other credentials are present.
I believe that the code change required to do this is simple. You just need to allow omitting both the profile and the access key from the sleet.json; if neither are present, use the parameterless constructor of AmazonS3Client() and I believe it will just work. Basically: just remove the code that throws an exception here: https://github.com/emgarten/Sleet/blob/master/src/SleetLib/FileSystem/FileSystemFactory.cs#L129
If you wanted to be more explicit about it, you could also provide a dedicated config value in sleet.json to select this mode; e.g. something like "useInstanceCredentials": true, or "useIAMRole": true (as @medianotion suggested), or something. I'm not sure that that gains you much, though.
I'm happy to try to put together a pull request for this if it would help.
emgarten
commented
5 years ago @dpryden a PR for this would be great! I'm happy to help out, so if you have an issues once you get into it just create a work in progress PR and ping me on it.
I don't understand S3 credentials as well as Azure, so if you can make a change and verify that it works correctly in your EC2 environment it would be a big help for this.
I'm fine with leaving out the additional sleet.json setting for this as long as the user gets a helpful error message when the feed isn't configured properly. I agree that it wouldn't add much, but if the experience from defaulting to AmazonS3Client() is cryptic when it goes to use it later, then I think an explicit opt in is needed.
Also, docs for S3 sleet are here: https://github.com/emgarten/Sleet/blob/master/doc/feed-type-s3.md If you create a PR feel free to add an example of the sleet.json needed to use the feature. S3 seems to be the most popular host for Sleet feeds, so I'm sure others will want to use this feature as well.
emgarten
commented
5 years ago @medianotion have you a chance to look at this?
medianotion
commented
5 years ago I have.
I would prefer an explicit json attribute indicating that sleet should use role based authentication. This would allow sleet to not assume the user wants to use role based authentication over long term credentials.
However, I would be happy with any implementation that allowed for role based authentication.
Sent from my iPhone
On Sep 5, 2019, at 3:42 PM, Justin Emgarten notifications@github.com wrote:
@medianotion have you a chance to look at this?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
emgarten
commented
5 years ago Fixed by @iainb123 with https://github.com/emgarten/Sleet/pull/90
emgarten
commented
5 years ago This change is in https://www.nuget.org/packages/Sleet/3.0.5
iainb123
commented
5 years ago Thanks Justin,
Tried this out and it seems to all work as expected. Thank you for writing Sleet - we’re finding it very useful to maintain our NuGet repo on S3.
Iain
From: Justin Emgarten notifications@github.com Sent: Thursday, September 26, 2019 3:27 am To: emgarten/Sleet Cc: iainb123; Mention Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
This change is in https://www.nuget.org/packages/Sleet/3.0.5
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AGIRDGVY2YP2UPL4IFVPQLDQLQM2VA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7UBKOI#issuecomment-535303481, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGIRDGRRIHT3AAQM6LUQT3TQLQM2VANCNFSM4HZ2M46A.
dpryden
commented
5 years ago Thanks for putting together that fix, @iainb123. My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
iainb123
commented
5 years ago Thanks Daniel,
GetCallerIdentity looks like a much nicer and more general solution. The existing code fixes our GitLab builds, but should be able to try this next week.
Iain
From: Daniel Pryden notifications@github.com Sent: Thursday, September 26, 2019 12:40 pm To: emgarten/Sleet Cc: iainb123; Mention Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123https://github.com/iainb123. My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just callsts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity,then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AGIRDGXOJULAI63IGWA5ELLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGIRDGWLGILZY7E3UGMFJ53QLSNRJANCNFSM4HZ2M46A.
medianotion
commented
5 years ago Thank you for your efforts.
However, it is not working in CodeBuild using a IAM Role and no credentials set in the sleet.json. Attached is my CodeBuild log.
The container running the CodeBuild has a valid AWS Role assigned to it.
I altered the build script to show that the container can call out to the metadata server and get valid credentials. I echoed the creds returned. I intentionally removed the AWS Key that was returned for security reasons.
If you look at the bottom of the log you will see that Sleet errors “attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so”.
Please let me know if you have any questions.
From: Daniel Pryden notifications@github.com Sent: Thursday, September 26, 2019 6:40 AM To: emgarten/Sleet Sleet@noreply.github.com Cc: medianotion david.hart@medianotion.com; Mention mention@noreply.github.com Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123 https://github.com/iainb123 . My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720 , or mute the thread https://github.com/notifications/unsubscribe-auth/AIMMCF7BUWCYIKI2LBNIC4DQLSNRJANCNFSM4HZ2M46A . https://github.com/notifications/beacon/AIMMCF6B7H2P4ELJSBHFGNTQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA.gif
[Container] 2019/09/26 15:04:54 Waiting for agent ping
[Container] 2019/09/26 15:04:54 Waiting for DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 Phase is DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 CODEBUILD_SRC_DIR=C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:04:54 YAML location is C:\codebuild\readonly\buildspec.yml
[Container] 2019/09/26 15:04:54 Processing environment variables
[Container] 2019/09/26 15:04:54 Decrypting parameter store environment variables
[Container] 2019/09/26 15:05:03 Moving to directory C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:05:06 Registering with agent
[Container] 2019/09/26 15:05:06 Phases found in YAML: 3
[Container] 2019/09/26 15:05:06 INSTALL: 5 commands
[Container] 2019/09/26 15:05:06 BUILD: 5 commands
[Container] 2019/09/26 15:05:06 POST_BUILD: 3 commands
[Container] 2019/09/26 15:05:06 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2019/09/26 15:05:06 Phase context status code: Message:
[Container] 2019/09/26 15:05:06 Entering phase INSTALL
[Container] 2019/09/26 15:05:06 Running command aws s3 cp s3://aesto-nuget/codebuild/sleet.json sleet.json
Completed 332 Bytes/332 Bytes (3.6 KiB/s) with 1 file(s) remaining
download: s3://aesto-nuget/codebuild/sleet.json to .\sleet.json
[Container] 2019/09/26 15:05:12 Running command $creds_url = "http://169.254.170.2" + $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
[Container] 2019/09/26 15:05:15 Running command $creds_output = (New-Object System.Net.WebClient).DownloadString($creds_url)
[Container] 2019/09/26 15:05:18 Running command echo $creds_output {"RoleArn":"AQICAHjf4Z7XKaJEIJTm4BPXVpqbE3boycdmzg3atIoxHNpzMAHomxbnpoUwUrp8dH4Omc74AAABADCB/QYJKoZIhvcNAQcGoIHvMIHsAgEAMIHmBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDM5vJ9Lcacom5MZBNwIBEICBuICII9vlk2FARTNp9GkzBByhxVMoPi+xqBrRjJSrp1EpVvWwF8GIhiNnWS0QLsU5x8ALfKhBwngwzj9MMOQFc8ABTx2uwfjOJvzVKKZ4E+czNYHDVOBNNuI6Nkx0H9tsgkDH8EdHCkqEo1fm6l9kv9iPvebbYpo6BNPvU12/L8y0cf/HFUbx1ONqbnE0pPnjwkp60ZfikjJ3rmzhM3EKpdU31EcZCO8UH4Won8KqzmiHMBtferWrpj8=","AccessKeyId":"Intentionally-removed","SecretAccessKey":"TkV6huQvGY0y6tEjix+Kf4c8D76Dnv5ze4tKZRmv","Token":"AgoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJIMEYCIQDGHRFPuC3LgHq4mfPO45uADHP+82aDsA1GR6aBmUtHrwIhAIY8UPI0zTDGzzOUPYTU/BrW29kywssi3zxD8DwKDGdzKqMECGAQARoMMDk5NDU1OTI2NDc0Igz0BfzmYqU4B/A6wIMqgAQR2noxVQqpzkk2o2eOD6tb8t5KxI0Rr6Fi+wCgeg3eo/KFBjkNXxvCqn80xg/+G2WpKEBpLYKje0a/40BOaGBdM817IO8er0nGcHbdwcK2PVZ7Pk7I1T6Ug4If+uZRfs+Io6NQ/UsZNz+F4hEaC7sj9yfyuP+Oc6aHOTu6/Ek5zEt6U87J+nY0oTkZSFlt+peQXKj1CsUSKbvGMDb7Fu+z3vaA+8xzD5ARggy7Z3JuLtfMu6GRE6RG11cChdQTlurARBEF+X08/W0FnDhsc3/H1Ql7UohKG/cjhPsF5zf3lzewYHloG6cWUAmNlT3kH/p2s2c6Jw6YHEJ0GrYD3g5vaVE4csMh/xPy/t8Z93mPS9TrYsaQzaqI97Gx663p9FL1EfbX4Nj5RAUi6X2GO4lwqVCogyYI/3/1B0m/MNAFAokNqBZGzOcp5y6uukjJLwrvSqTDO3QO9NAZBJz7nzLEaJ8ktkJMuZGw2O3l7GfWkSJS2fFAx5B2/YFviqvUr5EfZ7A4sCk3qjrrnFd06WchA0V6uO+b+V0/w2709D4geZkr76tC0iTzuxUjWt4Ogu4cP7MZpq9aA5/2cDgjlq2/rXWXSDNMkCzs/A3pOPquky1z6Z3QT5IIgQfVFDQ07AP/pFrsV1zng1TrkkmeLl/kdf0DPpGymHxseYDsI67tAzDiprPsBTqzAfzXBYeg4aYo7hGjjm2pTF1pne2eC6/3GDrceV3cbYl04axu0JmrKwLf8hGpFUjM4hatpR/wacHmwZ/SLEnLVIsFMrfQBQKqeI8bV5sU2l9An6FWjRhM7ty3FOwcPkUzkNRW8Q1bUeDlECJjazytNYyJhrJVI0iAu57/iGQpMq4G1Uf7YRtmNzTqLnaBNNWzma8+Ws3oALW036dHl1JU5ggzsOkdEN3Ivxg6JXXsv+9z9mV/","Expiration":"2019-09-26T16:04:02Z"}
[Container] 2019/09/26 15:05:22 Running command dotnet tool install -g sleet You can invoke the tool using the following command: sleet Tool 'sleet' (version '3.0.5') was successfully installed.
[Container] 2019/09/26 15:05:27 Phase complete: INSTALL State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase PRE_BUILD
[Container] 2019/09/26 15:05:27 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase BUILD
[Container] 2019/09/26 15:05:27 Running command $proj_dir = (Get-ChildItem -Filter *.csproj -Recurse | Select-Object -First 1).Directory.Name
[Container] 2019/09/26 15:05:30 Running command cd $proj_dir
[Container] 2019/09/26 15:05:33 Running command nuget sources add -name "aesto" -source https://d1uowoilelxe35.cloudfront.net/index.json -username nugetUser -password $env:NUGET_PASSWORD Package Source with Name: aesto added successfully.
[Container] 2019/09/26 15:05:38 Running command dotnet restore --disable-parallel --force --no-cache Restoring packages for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj... Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.props. Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.targets. Restore completed in 135.79 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
[Container] 2019/09/26 15:05:42 Running command dotnet build Microsoft (R) Build Engine version 15.7.179.6572 for .NET Core Copyright (C) Microsoft Corporation. All rights reserved.
Restore completed in 30.67 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj. encryption -> C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\netstandard2.0\encryption.dll Successfully created package 'C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\Security.Encryption.1.0.1.nupkg'.
Build succeeded. 0 Warning(s) 0 Error(s)
Time Elapsed 00:00:02.00
[Container] 2019/09/26 15:05:47 Phase complete: BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:47 Phase context status code: Message:
[Container] 2019/09/26 15:05:47 Entering phase POST_BUILD
[Container] 2019/09/26 15:05:47 Running command cd bin\Debug
[Container] 2019/09/26 15:05:50 Running command $nuget_pkg = (Get-ChildItem -Filter *.nupkg | Select-Object -Last 1).Name
[Container] 2019/09/26 15:05:53 Running command if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } [System.ArgumentException] As no credentials are set in the configuration attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so (is this an EC2 instance with an IAM role assigned?): Error reaching AWS metadata server
[Container] 2019/09/26 15:05:57 Command did not exit successfully if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } exit status 1 [Container] 2019/09/26 15:06:00 Phase complete: POST_BUILD State: FAILED [Container] 2019/09/26 15:06:00 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }. Reason: exit status 1 [Container] 2019/09/26 15:06:00 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED [Container] 2019/09/26 15:06:00 Phase context status code: Message:
iainb123
commented
5 years ago You seem to be using a different metadata server – do you know why is it on 169.254.170.2 and not 169.254.169.254? https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
I find this works on an EC2 instance spun up by GitLab with an IAM role, but perhaps this is an unusual case!
Iain
From: medianotion notifications@github.com Reply to: emgarten/Sleet reply@reply.github.com Date: Thursday, 26 September 2019 at 16:17 To: emgarten/Sleet Sleet@noreply.github.com Cc: Iain Buchanan iainbuc@gmail.com, Mention mention@noreply.github.com Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thank you for your efforts.
However, it is not working in CodeBuild using a IAM Role and no credentials set in the sleet.json. Attached is my CodeBuild log.
The container running the CodeBuild has a valid AWS Role assigned to it.
I altered the build script to show that the container can call out to the metadata server and get valid credentials. I echoed the creds returned. I intentionally removed the AWS Key that was returned for security reasons.
If you look at the bottom of the log you will see that Sleet errors “attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so”.
Please let me know if you have any questions.
From: Daniel Pryden notifications@github.com Sent: Thursday, September 26, 2019 6:40 AM To: emgarten/Sleet Sleet@noreply.github.com Cc: medianotion david.hart@medianotion.com; Mention mention@noreply.github.com Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123 https://github.com/iainb123 . My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720 , or mute the thread https://github.com/notifications/unsubscribe-auth/AIMMCF7BUWCYIKI2LBNIC4DQLSNRJANCNFSM4HZ2M46A . https://github.com/notifications/beacon/AIMMCF6B7H2P4ELJSBHFGNTQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA.gif
[Container] 2019/09/26 15:04:54 Waiting for agent ping [Container] 2019/09/26 15:04:54 Waiting for DOWNLOAD_SOURCE [Container] 2019/09/26 15:04:54 Phase is DOWNLOAD_SOURCE [Container] 2019/09/26 15:04:54 CODEBUILD_SRC_DIR=C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption [Container] 2019/09/26 15:04:54 YAML location is C:\codebuild\readonly\buildspec.yml [Container] 2019/09/26 15:04:54 Processing environment variables [Container] 2019/09/26 15:04:54 Decrypting parameter store environment variables [Container] 2019/09/26 15:05:03 Moving to directory C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption [Container] 2019/09/26 15:05:06 Registering with agent [Container] 2019/09/26 15:05:06 Phases found in YAML: 3 [Container] 2019/09/26 15:05:06 INSTALL: 5 commands [Container] 2019/09/26 15:05:06 BUILD: 5 commands [Container] 2019/09/26 15:05:06 POST_BUILD: 3 commands [Container] 2019/09/26 15:05:06 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED [Container] 2019/09/26 15:05:06 Phase context status code: Message: [Container] 2019/09/26 15:05:06 Entering phase INSTALL [Container] 2019/09/26 15:05:06 Running command aws s3 cp s3://aesto-nuget/codebuild/sleet.json sleet.json Completed 332 Bytes/332 Bytes (3.6 KiB/s) with 1 file(s) remaining download: s3://aesto-nuget/codebuild/sleet.json to .\sleet.json
[Container] 2019/09/26 15:05:12 Running command $creds_url = "http://169.254.170.2" + $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
[Container] 2019/09/26 15:05:15 Running command $creds_output = (New-Object System.Net.WebClient).DownloadString($creds_url)
[Container] 2019/09/26 15:05:18 Running command echo $creds_output {"RoleArn":"AQICAHjf4Z7XKaJEIJTm4BPXVpqbE3boycdmzg3atIoxHNpzMAHomxbnpoUwUrp8dH4Omc74AAABADCB/QYJKoZIhvcNAQcGoIHvMIHsAgEAMIHmBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDM5vJ9Lcacom5MZBNwIBEICBuICII9vlk2FARTNp9GkzBByhxVMoPi+xqBrRjJSrp1EpVvWwF8GIhiNnWS0QLsU5x8ALfKhBwngwzj9MMOQFc8ABTx2uwfjOJvzVKKZ4E+czNYHDVOBNNuI6Nkx0H9tsgkDH8EdHCkqEo1fm6l9kv9iPvebbYpo6BNPvU12/L8y0cf/HFUbx1ONqbnE0pPnjwkp60ZfikjJ3rmzhM3EKpdU31EcZCO8UH4Won8KqzmiHMBtferWrpj8=","AccessKeyId":"Intentionally-removed","SecretAccessKey":"TkV6huQvGY0y6tEjix+Kf4c8D76Dnv5ze4tKZRmv","Token":"AgoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJIMEYCIQDGHRFPuC3LgHq4mfPO45uADHP+82aDsA1GR6aBmUtHrwIhAIY8UPI0zTDGzzOUPYTU/BrW29kywssi3zxD8DwKDGdzKqMECGAQARoMMDk5NDU1OTI2NDc0Igz0BfzmYqU4B/A6wIMqgAQR2noxVQqpzkk2o2eOD6tb8t5KxI0Rr6Fi+wCgeg3eo/KFBjkNXxvCqn80xg/+G2WpKEBpLYKje0a/40BOaGBdM817IO8er0nGcHbdwcK2PVZ7Pk7I1T6Ug4If+uZRfs+Io6NQ/UsZNz+F4hEaC7sj9yfyuP+Oc6aHOTu6/Ek5zEt6U87J+nY0oTkZSFlt+peQXKj1CsUSKbvGMDb7Fu+z3vaA+8xzD5ARggy7Z3JuLtfMu6GRE6RG11cChdQTlurARBEF+X08/W0FnDhsc3/H1Ql7UohKG/cjhPsF5zf3lzewYHloG6cWUAmNlT3kH/p2s2c6Jw6YHEJ0GrYD3g5vaVE4csMh/xPy/t8Z93mPS9TrYsaQzaqI97Gx663p9FL1EfbX4Nj5RAUi6X2GO4lwqVCogyYI/3/1B0m/MNAFAokNqBZGzOcp5y6uukjJLwrvSqTDO3QO9NAZBJz7nzLEaJ8ktkJMuZGw2O3l7GfWkSJS2fFAx5B2/YFviqvUr5EfZ7A4sCk3qjrrnFd06WchA0V6uO+b+V0/w2709D4geZkr76tC0iTzuxUjWt4Ogu4cP7MZpq9aA5/2cDgjlq2/rXWXSDNMkCzs/A3pOPquky1z6Z3QT5IIgQfVFDQ07AP/pFrsV1zng1TrkkmeLl/kdf0DPpGymHxseYDsI67tAzDiprPsBTqzAfzXBYeg4aYo7hGjjm2pTF1pne2eC6/3GDrceV3cbYl04axu0JmrKwLf8hGpFUjM4hatpR/wacHmwZ/SLEnLVIsFMrfQBQKqeI8bV5sU2l9An6FWjRhM7ty3FOwcPkUzkNRW8Q1bUeDlECJjazytNYyJhrJVI0iAu57/iGQpMq4G1Uf7YRtmNzTqLnaBNNWzma8+Ws3oALW036dHl1JU5ggzsOkdEN3Ivxg6JXXsv+9z9mV/","Expiration":"2019-09-26T16:04:02Z"}
[Container] 2019/09/26 15:05:22 Running command dotnet tool install -g sleet You can invoke the tool using the following command: sleet Tool 'sleet' (version '3.0.5') was successfully installed.
[Container] 2019/09/26 15:05:27 Phase complete: INSTALL State: SUCCEEDED [Container] 2019/09/26 15:05:27 Phase context status code: Message: [Container] 2019/09/26 15:05:27 Entering phase PRE_BUILD [Container] 2019/09/26 15:05:27 Phase complete: PRE_BUILD State: SUCCEEDED [Container] 2019/09/26 15:05:27 Phase context status code: Message: [Container] 2019/09/26 15:05:27 Entering phase BUILD [Container] 2019/09/26 15:05:27 Running command $proj_dir = (Get-ChildItem -Filter *.csproj -Recurse | Select-Object -First 1).Directory.Name
[Container] 2019/09/26 15:05:30 Running command cd $proj_dir
[Container] 2019/09/26 15:05:33 Running command nuget sources add -name "aesto" -source https://d1uowoilelxe35.cloudfront.net/index.json -username nugetUser -password $env:NUGET_PASSWORD Package Source with Name: aesto added successfully.
[Container] 2019/09/26 15:05:38 Running command dotnet restore --disable-parallel --force --no-cache Restoring packages for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj... Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.props. Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.targets. Restore completed in 135.79 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
[Container] 2019/09/26 15:05:42 Running command dotnet build Microsoft (R) Build Engine version 15.7.179.6572 for .NET Core Copyright (C) Microsoft Corporation. All rights reserved.
Restore completed in 30.67 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj. encryption -> C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\netstandard2.0\encryption.dll Successfully created package 'C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\Security.Encryption.1.0.1.nupkg'.
Build succeeded. 0 Warning(s) 0 Error(s)
Time Elapsed 00:00:02.00
[Container] 2019/09/26 15:05:47 Phase complete: BUILD State: SUCCEEDED [Container] 2019/09/26 15:05:47 Phase context status code: Message: [Container] 2019/09/26 15:05:47 Entering phase POST_BUILD [Container] 2019/09/26 15:05:47 Running command cd bin\Debug
[Container] 2019/09/26 15:05:50 Running command $nuget_pkg = (Get-ChildItem -Filter *.nupkg | Select-Object -Last 1).Name
[Container] 2019/09/26 15:05:53 Running command if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } [System.ArgumentException] As no credentials are set in the configuration attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so (is this an EC2 instance with an IAM role assigned?): Error reaching AWS metadata server
[Container] 2019/09/26 15:05:57 Command did not exit successfully if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } exit status 1 [Container] 2019/09/26 15:06:00 Phase complete: POST_BUILD State: FAILED [Container] 2019/09/26 15:06:00 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }. Reason: exit status 1 [Container] 2019/09/26 15:06:00 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED [Container] 2019/09/26 15:06:00 Phase context status code: Message:
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AGIRDGUYBZRTBW54BQ54GMTQLTHARA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V6JIY#issuecomment-535553187, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGIRDGXSAZAN7S3F2BFCD7DQLTHARANCNFSM4HZ2M46A.
medianotion
commented
5 years ago https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html
I tried switching to 169.254.169.254 and it failed.
I haven’t gotten deep into the Sleet code. I remember glancing at it months ago and thinking it wasn’t using the standard AWS SDK calls. Maybe I am wrong. If I am right, hard coding metadata urls and manually populating the key, secret and session is doing the work the SDK already does for us. I would recommend changing to use the AWS SDK … again if it is already not using it.
From: iainb123 notifications@github.com Sent: Thursday, September 26, 2019 10:30 AM To: emgarten/Sleet Sleet@noreply.github.com Cc: medianotion david.hart@medianotion.com; Mention mention@noreply.github.com Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
You seem to be using a different metadata server – do you know why is it on 169.254.170.2 and not 169.254.169.254? https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
I find this works on an EC2 instance spun up by GitLab with an IAM role, but perhaps this is an unusual case!
Iain
From: medianotion <notifications@github.com mailto:notifications@github.com > Reply to: emgarten/Sleet <reply@reply.github.com mailto:reply@reply.github.com > Date: Thursday, 26 September 2019 at 16:17 To: emgarten/Sleet <Sleet@noreply.github.com mailto:Sleet@noreply.github.com > Cc: Iain Buchanan <iainbuc@gmail.com mailto:iainbuc@gmail.com >, Mention <mention@noreply.github.com mailto:mention@noreply.github.com > Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thank you for your efforts.
However, it is not working in CodeBuild using a IAM Role and no credentials set in the sleet.json. Attached is my CodeBuild log.
The container running the CodeBuild has a valid AWS Role assigned to it.
I altered the build script to show that the container can call out to the metadata server and get valid credentials. I echoed the creds returned. I intentionally removed the AWS Key that was returned for security reasons.
If you look at the bottom of the log you will see that Sleet errors “attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so”.
Please let me know if you have any questions.
From: Daniel Pryden <notifications@github.com mailto:notifications@github.com > Sent: Thursday, September 26, 2019 6:40 AM To: emgarten/Sleet <Sleet@noreply.github.com mailto:Sleet@noreply.github.com > Cc: medianotion <david.hart@medianotion.com mailto:david.hart@medianotion.com >; Mention <mention@noreply.github.com mailto:mention@noreply.github.com > Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123 https://github.com/iainb123 . My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://github.com/emgarten/Sleet/issues/81?email_source=notifications https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720 &email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720> , or mute the thread https://github.com/notifications/unsubscribe-auth/AIMMCF7BUWCYIKI2LBNIC4DQLSNRJANCNFSM4HZ2M46A . https://github.com/notifications/beacon/AIMMCF6B7H2P4ELJSBHFGNTQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA.gif
[Container] 2019/09/26 15:04:54 Waiting for agent ping [Container] 2019/09/26 15:04:54 Waiting for DOWNLOAD_SOURCE [Container] 2019/09/26 15:04:54 Phase is DOWNLOAD_SOURCE [Container] 2019/09/26 15:04:54 CODEBUILD_SRC_DIR=C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption [Container] 2019/09/26 15:04:54 YAML location is C:\codebuild\readonly\buildspec.yml [Container] 2019/09/26 15:04:54 Processing environment variables [Container] 2019/09/26 15:04:54 Decrypting parameter store environment variables [Container] 2019/09/26 15:05:03 Moving to directory C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption [Container] 2019/09/26 15:05:06 Registering with agent [Container] 2019/09/26 15:05:06 Phases found in YAML: 3 [Container] 2019/09/26 15:05:06 INSTALL: 5 commands [Container] 2019/09/26 15:05:06 BUILD: 5 commands [Container] 2019/09/26 15:05:06 POST_BUILD: 3 commands [Container] 2019/09/26 15:05:06 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED [Container] 2019/09/26 15:05:06 Phase context status code: Message: [Container] 2019/09/26 15:05:06 Entering phase INSTALL [Container] 2019/09/26 15:05:06 Running command aws s3 cp s3://aesto-nuget/codebuild/sleet.json sleet.json Completed 332 Bytes/332 Bytes (3.6 KiB/s) with 1 file(s) remaining download: s3://aesto-nuget/codebuild/sleet.json to .\sleet.json
[Container] 2019/09/26 15:05:12 Running command $creds_url = "http://169.254.170.2" + $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
[Container] 2019/09/26 15:05:15 Running command $creds_output = (New-Object System.Net.WebClient).DownloadString($creds_url)
[Container] 2019/09/26 15:05:18 Running command echo $creds_output {"RoleArn":"AQICAHjf4Z7XKaJEIJTm4BPXVpqbE3boycdmzg3atIoxHNpzMAHomxbnpoUwUrp8dH4Omc74AAABADCB/QYJKoZIhvcNAQcGoIHvMIHsAgEAMIHmBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDM5vJ9Lcacom5MZBNwIBEICBuICII9vlk2FARTNp9GkzBByhxVMoPi+xqBrRjJSrp1EpVvWwF8GIhiNnWS0QLsU5x8ALfKhBwngwzj9MMOQFc8ABTx2uwfjOJvzVKKZ4E+czNYHDVOBNNuI6Nkx0H9tsgkDH8EdHCkqEo1fm6l9kv9iPvebbYpo6BNPvU12/L8y0cf/HFUbx1ONqbnE0pPnjwkp60ZfikjJ3rmzhM3EKpdU31EcZCO8UH4Won8KqzmiHMBtferWrpj8=","AccessKeyId":"Intentionally-removed","SecretAccessKey":"TkV6huQvGY0y6tEjix+Kf4c8D76Dnv5ze4tKZRmv","Token":"AgoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJIMEYCIQDGHRFPuC3LgHq4mfPO45uADHP+82aDsA1GR6aBmUtHrwIhAIY8UPI0zTDGzzOUPYTU/BrW29kywssi3zxD8DwKDGdzKqMECGAQARoMMDk5NDU1OTI2NDc0Igz0BfzmYqU4B/A6wIMqgAQR2noxVQqpzkk2o2eOD6tb8t5KxI0Rr6Fi+wCgeg3eo/KFBjkNXxvCqn80xg/+G2WpKEBpLYKje0a/40BOaGBdM817IO8er0nGcHbdwcK2PVZ7Pk7I1T6Ug4If+uZRfs+Io6NQ/UsZNz+F4hEaC7sj9yfyuP+Oc6aHOTu6/Ek5zEt6U87J+nY0oTkZSFlt+peQXKj1CsUSKbvGMDb7Fu+z3vaA+8xzD5ARggy7Z3JuLtfMu6GRE6RG11cChdQTlurARBEF+X08/W0FnDhsc3/H1Ql7UohKG/cjhPsF5zf3lzewYHloG6cWUAmNlT3kH/p2s2c6Jw6YHEJ0GrYD3g5vaVE4csMh/xPy/t8Z93mPS9TrYsaQzaqI97Gx663p9FL1EfbX4Nj5RAUi6X2GO4lwqVCogyYI/3/1B0m/MNAFAokNqBZGzOcp5y6uukjJLwrvSqTDO3QO9NAZBJz7nzLEaJ8ktkJMuZGw2O3l7GfWkSJS2fFAx5B2/YFviqvUr5EfZ7A4sCk3qjrrnFd06WchA0V6uO+b+V0/w2709D4geZkr76tC0iTzuxUjWt4Ogu4cP7MZpq9aA5/2cDgjlq2/rXWXSDNMkCzs/A3pOPquky1z6Z3QT5IIgQfVFDQ07AP/pFrsV1zng1TrkkmeLl/kdf0DPpGymHxseYDsI67tAzDiprPsBTqzAfzXBYeg4aYo7hGjjm2pTF1pne2eC6/3GDrceV3cbYl04axu0JmrKwLf8hGpFUjM4hatpR/wacHmwZ/SLEnLVIsFMrfQBQKqeI8bV5sU2l9An6FWjRhM7ty3FOwcPkUzkNRW8Q1bUeDlECJjazytNYyJhrJVI0iAu57/iGQpMq4G1Uf7YRtmNzTqLnaBNNWzma8+Ws3oALW036dHl1JU5ggzsOkdEN3Ivxg6JXXsv+9z9mV/","Expiration":"2019-09-26T16:04:02Z"}
[Container] 2019/09/26 15:05:22 Running command dotnet tool install -g sleet You can invoke the tool using the following command: sleet Tool 'sleet' (version '3.0.5') was successfully installed.
[Container] 2019/09/26 15:05:27 Phase complete: INSTALL State: SUCCEEDED [Container] 2019/09/26 15:05:27 Phase context status code: Message: [Container] 2019/09/26 15:05:27 Entering phase PRE_BUILD [Container] 2019/09/26 15:05:27 Phase complete: PRE_BUILD State: SUCCEEDED [Container] 2019/09/26 15:05:27 Phase context status code: Message: [Container] 2019/09/26 15:05:27 Entering phase BUILD [Container] 2019/09/26 15:05:27 Running command $proj_dir = (Get-ChildItem -Filter *.csproj -Recurse | Select-Object -First 1).Directory.Name
[Container] 2019/09/26 15:05:30 Running command cd $proj_dir
[Container] 2019/09/26 15:05:33 Running command nuget sources add -name "aesto" -source https://d1uowoilelxe35.cloudfront.net/index.json -username nugetUser -password $env:NUGET_PASSWORD Package Source with Name: aesto added successfully.
[Container] 2019/09/26 15:05:38 Running command dotnet restore --disable-parallel --force --no-cache Restoring packages for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj... Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.props. Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.targets. Restore completed in 135.79 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
[Container] 2019/09/26 15:05:42 Running command dotnet build Microsoft (R) Build Engine version 15.7.179.6572 for .NET Core Copyright (C) Microsoft Corporation. All rights reserved.
Restore completed in 30.67 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj. encryption -> C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\netstandard2.0\encryption.dll Successfully created package 'C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\Security.Encryption.1.0.1.nupkg'.
Build succeeded. 0 Warning(s) 0 Error(s)
Time Elapsed 00:00:02.00
[Container] 2019/09/26 15:05:47 Phase complete: BUILD State: SUCCEEDED [Container] 2019/09/26 15:05:47 Phase context status code: Message: [Container] 2019/09/26 15:05:47 Entering phase POST_BUILD [Container] 2019/09/26 15:05:47 Running command cd bin\Debug
[Container] 2019/09/26 15:05:50 Running command $nuget_pkg = (Get-ChildItem -Filter *.nupkg | Select-Object -Last 1).Name
[Container] 2019/09/26 15:05:53 Running command if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } [System.ArgumentException] As no credentials are set in the configuration attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so (is this an EC2 instance with an IAM role assigned?): Error reaching AWS metadata server
[Container] 2019/09/26 15:05:57 Command did not exit successfully if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } exit status 1 [Container] 2019/09/26 15:06:00 Phase complete: POST_BUILD State: FAILED [Container] 2019/09/26 15:06:00 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }. Reason: exit status 1 [Container] 2019/09/26 15:06:00 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED [Container] 2019/09/26 15:06:00 Phase context status code: Message:
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://github.com/emgarten/Sleet/issues/81?email_source=notifications https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AGIRDGUYBZRTBW54BQ54GMTQLTHARA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V6JIY#issuecomment-535553187 &email_token=AGIRDGUYBZRTBW54BQ54GMTQLTHARA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V6JIY#issuecomment-535553187>, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGIRDGXSAZAN7S3F2BFCD7DQLTHARANCNFSM4HZ2M46A.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/emgarten/Sleet/issues/81?email_source=notifications&email_token=AIMMCF4FOAVL4AFVZUT2RL3QLTIOXA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V7U7I#issuecomment-535558781 , or mute the thread https://github.com/notifications/unsubscribe-auth/AIMMCF7E56MANUBGHMTAKF3QLTIOXANCNFSM4HZ2M46A . https://github.com/notifications/beacon/AIMMCF2XSR5MFM4QSUKTD4DQLTIOXA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V7U7I.gif
emgarten
commented
5 years ago 
Provide support for AWS IAM Role credentials rather than having to set long term credentials in the sleet.json or reference a user's .aws profile. This would allow Sleet to be used with automated build processes that run under an IAM Role and be more secure.