Open breezewish opened 1 year ago
@breezewish are u using IAM policies? I got such error when auth session/creds had expired. And I bet it is exactly the same issue going on here. Find a way to extend the auth session/creds duration .
@breezewish are u using IAM policies? I got such error when auth session/creds had expired. And I bet it is exactly the same issue going on here. Find a way to extend the auth session/creds duration .
Yes, it should be the same issue. However due to IAM Role Chaining it seems to be impossible to just open a new session in the CodeBuild env with a longer session duration for Docker.
I've been experiencing this too today, doing something like this:
docker buildx create --driver=docker-container --use
export AWS_PROFILE=<profile>
docker buildx build --cache-to 'type=s3,...'
The profile backs onto a credential_process
that obtains short lived credentials of 15 minutes. This was working great, but I started bumping into the expiry time for the credentials issued to our internal CI system and received:
#109 exporting cache to s3
#109 preparing build cache for export
#109 preparing build cache for export 53.8s done
#109 ERROR: failed to check file presence in cache: operation error S3: HeadObject, https response error StatusCode: 400, RequestID: AYJYEKEBKVJ72ARX, HostID: AumhGqp2ttKYlyJJjMvybDZJM1AGVvLaR6a64utX4qo0Cfz7HqRmvMst8fnbErBpnuBdDESASY323cPlWfUpoA==, api error BadRequest: Bad Request
I am not a seasoned reader of golang code or the moby ecosystem, but I think the issue might be that buildkitd
is the piece doing the S3 export, relying on credentials (key id, secret, session token) passed to it, generated one time by buildx
here https://github.com/docker/buildx/blob/687feca9e8dcd1534ac4c026bc4db5a49de0dd6e/util/buildflags/cache.go#L102
I think technically buildkit is not to blame here, because reading the buildkitd code it has a fairly straightforward use of the AWS SDK that should generate and refresh credentials as needed. I think it's the buildx -> buildkitd interaction that has the problem.
I wonder what might be a fix for this? Perhaps there is some other approach that would let me use buildkitd without this issue? It seems that either buildx and buildkitd need some back and forth to refresh credentials, or it would be necessary to mount the AWS shared credentials file (and the tool used by credential_process) to the buildkitd container, so it can generate its own credentials dynamically instead
Hi,
I'm using AWS CodeBuild with docker/buildx to build images, with S3 caches.
I discovered that, when Dockerfile takes long time to build (for example, > 1h), S3 cache export will fail:
When Dockerfile takes shorter time to build (like 20min), S3 cache export will succeed:
I suspect it might be caused by the default 1h session duration. However I cannot find ways to extend it. Using AK and SK cannot help in my case, because our security policy disallows the usage of AK and SK and we must use passwordless authentications.
Thanks!
Example reproduce:
Dockerfile:
CodeBuild spec (
buildspec.yml
):