Skip to content

Commit

Permalink
fix: CodeBuild runners not getting AWS role (#114)
Browse files Browse the repository at this point in the history 
Trying to use AWS API with CodeBuild runners resulted in:

    Unable to locate credentials. You can configure credentials by running "aws configure".

We were using sudo which doesn't preserve the required environment variables for AWS SDKs to locate its credentials. Specifically AWS_CONTAINER_CREDENTIALS_RELATIVE_URI was missing.

Resolves #113
  • Loading branch information
@kichik
kichik committed Oct 8, 2022
1 parent 159fee4 commit f7e48f2
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 10 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/self-hosted.yml
View file
Expand Up @@ -67,7 +67,9 @@ jobs:
- name: git
run: git --version
- name: aws
run: aws --version
run: |
aws --version
aws sts get-caller-identity
- name: gh
run: gh --version
- name: docker
Expand Down Expand Up @@ -115,7 +117,9 @@ jobs:
- name: git
run: git --version
- name: aws
run: aws --version
run: |
aws --version
aws sts get-caller-identity
- name: gh
run: gh --version
- name: docker
Expand Down
2 changes: 1 addition & 1 deletion src/providers/codebuild.ts
View file
Expand Up @@ -164,7 +164,7 @@ export class CodeBuildRunner extends Construct implements IRunnerProvider {
},
build: {
commands: [
'sudo -Hu runner /home/runner/run.sh',
'sudo --preserve-env=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,AWS_DEFAULT_REGION,AWS_REGION -Hu runner /home/runner/run.sh',
],
},
},
Expand Down
4 changes: 2 additions & 2 deletions test/default.integ.snapshot/github-runners-test.assets.json
View file
Expand Up @@ -209,15 +209,15 @@
}
}
},
"c53d0139488bcb1a3c057fa9dbffcf70dbeab3f2a1f50f7ee5056421917eb0b3": {
"67bb69187cfab8d92c606055c7549fb01f0608721ec0deb1f23bdc5174ba94c1": {
"source": {
"path": "github-runners-test.template.json",
"packaging": "file"
},
"destinations": {
"current_account-current_region": {
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
"objectKey": "c53d0139488bcb1a3c057fa9dbffcf70dbeab3f2a1f50f7ee5056421917eb0b3.json",
"objectKey": "67bb69187cfab8d92c606055c7549fb01f0608721ec0deb1f23bdc5174ba94c1.json",
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
}
}
Expand Down
4 changes: 2 additions & 2 deletions test/default.integ.snapshot/github-runners-test.template.json
View file
Expand Up @@ -3280,7 +3280,7 @@
]
},
"Source": {
"BuildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}",
"BuildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo --preserve-env=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,AWS_DEFAULT_REGION,AWS_REGION -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}",
"Type": "NO_SOURCE"
},
"Cache": {
Expand Down Expand Up @@ -4104,7 +4104,7 @@
]
},
"Source": {
"BuildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}",
"BuildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo --preserve-env=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,AWS_DEFAULT_REGION,AWS_REGION -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}",
"Type": "NO_SOURCE"
},
"Cache": {
Expand Down
2 changes: 1 addition & 1 deletion test/default.integ.snapshot/manifest.json
View file
Expand Up @@ -23,7 +23,7 @@
"validateOnSynth": false,
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c53d0139488bcb1a3c057fa9dbffcf70dbeab3f2a1f50f7ee5056421917eb0b3.json",
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/67bb69187cfab8d92c606055c7549fb01f0608721ec0deb1f23bdc5174ba94c1.json",
"requiresBootstrapStackVersion": 6,
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
"additionalDependencies": [
Expand Down
4 changes: 2 additions & 2 deletions test/default.integ.snapshot/tree.json
View file
Expand Up @@ -4502,7 +4502,7 @@
},
"source": {
"type": "NO_SOURCE",
"buildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}"
"buildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo --preserve-env=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,AWS_DEFAULT_REGION,AWS_REGION -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}"
},
"cache": {
"type": "NO_CACHE"
Expand Down Expand Up @@ -5665,7 +5665,7 @@
},
"source": {
"type": "NO_SOURCE",
"buildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}"
"buildSpec": "{\n \"version\": \"0.2\",\n \"env\": {\n \"variables\": {\n \"RUNNER_TOKEN\": \"unspecified\",\n \"RUNNER_NAME\": \"unspecified\",\n \"RUNNER_LABEL\": \"unspecified\",\n \"OWNER\": \"unspecified\",\n \"REPO\": \"unspecified\",\n \"GITHUB_DOMAIN\": \"github.com\"\n }\n },\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2 &\",\n \"timeout 15 sh -c \\\"until docker info; do echo .; sleep 1; done\\\"\",\n \"sudo -Hu runner /home/runner/config.sh --unattended --url \\\"https://${GITHUB_DOMAIN}/${OWNER}/${REPO}\\\" --token \\\"${RUNNER_TOKEN}\\\" --ephemeral --work _work --labels \\\"${RUNNER_LABEL}\\\" --disableupdate --name \\\"${RUNNER_NAME}\\\"\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"sudo --preserve-env=AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,AWS_DEFAULT_REGION,AWS_REGION -Hu runner /home/runner/run.sh\"\n ]\n }\n }\n}"
},
"cache": {
"type": "NO_CACHE"
Expand Down

0 comments on commit f7e48f2

Please sign in to comment.