问题
I am trying to use the CodeBuild service role in my mvn command, but it does not seem to be picking up the appropriate IAM permissions. I am using s3-wagon-private plugin which does appear to use a recent version of DefaultAWSCredentialsProviderChain that includes EC2ContainerCredentialsProviderWrapper, so I thought it should use the CodeBuild role on the CodeBuild container. That role has the appropriate permissions to the S3 repo I am trying to access with the s3-wagon-private.
But it appears that without using a Clojure project and a project.cloj, then it will not use the DefaultAWSCredentialsProviderChain by default. I have looked at Spring AWS Maven and Maven S3 Wagon but both are using a version of the DefaultAWSCredentialsProviderChain prior to the addition of the ECS credentials (AWS SDK ~1.11.14) and haven't seen much update to them so not overly confident we could get the SDK version updated/tested/released.
Does anyone know of a simple means for using S3 as maven repo with a recent version of the DefaultCredentialProviderChain?
回答1:
My workaround is to put a settings.xml file in an S3 bucket that's restricted to my CodeBuild role. Then in my buildspec.yaml file, I add the following:
phases:
build:
commands:
- aws s3 cp s3://MY_SECURE_BUCKET/settings.xml ~/.m2/settings.xml
- ls -lhr ~/.m2/settings.xml
- mvn -s ~/.m2/settings.xml package
The CodeBuild user has no problem grabbing the settings.xml file from S3 with the Container IAM role and the settings.xml contains an AWS key/secret for a user who only has access to the S3 maven repo:
<server>
<id>s3repo</id>
<username>MYKEY</username>
<password>MYSECRET</password>
</server>
And then I am using the maven-s3-wagon plugin and declare a <repository> with <id>s3repo</id> and my maven dependencies resolve fine.
This solution involves an extra step in the build, creating an additional maven-repo-only IAM user (though you may already have one), and storing an extra file in S3; but it works fine and seems secure. But if anyone can figure out a way to pull from S3 maven repo using the Container's IAM creds, please post another solution.
回答2:
When using AWS Containers (Like CodeBuild does). The instance metadata is at a different location to the usual http://169.254.169.254/latest/meta-data/
Instead. AWS sets an Environment variable $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI which points to the correct URI to obtain metadata. This is required by the AWS SDK's and other tools in order to assume an IAM Role.
The correct URL on an AWS Container is:
http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
Currently supported AWS SDK's support this feature, but it may be lacking on older tools. The AWS Instance Metadata documentation explains it it more detail.
来源:https://stackoverflow.com/questions/42794486/use-appropriate-ecs-credentials-on-codebuild-maven-job