Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI not provided for Local CodeBuild #179

Closed
joekiller opened this issue Mar 19, 2019 · 7 comments
Closed

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI not provided for Local CodeBuild #179

joekiller opened this issue Mar 19, 2019 · 7 comments
Labels
feature request

Comments

@joekiller
Copy link
Contributor

We have several builds that pass the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable per Troubleshooting CodeBuild Error: "Unable to Locate Credentials"

So when we try the following AWS_CONTAINER_CREDENTIALS_RELATIVE_URI isn't in the environment so I cannot test these builds locally.

docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -t your-image-tag .

Can you all update the local build to provide this service?
@subinataws
Copy link
Contributor

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is only available within the context of CodeBuild on AWS cloud. How are you using environment variable within your builds? How does it effect your local builds? A buildspec sample would be great.

@joekiller
Copy link
Contributor Author

Our primary use case pretty much exactly what is outlined in the Troubleshooting CodeBuild Error: "Unable to Locate Credentials" link I posted prior. We pass the IAM role of the build to our docker image being built or run. The docker image maybe creating an artifact or be the artifact itself.

For example the role is used for to resolve python pip requirements.txt entries like git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-awesome-project@master#egg=my-awesome-project which relies on the CodeCommit AWS CLI Credential Helper to access the repository.

Another way the role is used is via s3-wagon-private which allows maven dependencies to live on s3 buckets and the dependency tool resolves permissions via the IAM role.

Currently Local CodeBuild lets me use the -c switch which works fine for enabling a "role" for code running in the build space itself but not if we want to run our docker builds with an IAM/credential enabled environment.

A typical buildspec is:

version: 0.2

env:
  variables:
    FN_NAME: "my-awesome-function"

phases:
  install:
    commands:
      - mkdir -p target
      - printenv >> target/metadata
  build:
    commands:
      - docker build -t ${FN_NAME} .
      - docker run -e AWS_REGION=${AWS_REGION} -e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} -e AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} -e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} -v $(pwd)/target:/tmp/target ${FN_NAME}

artifacts:
  files:
    - '**/*'
  base-directory: target

or

version: 0.2

env:
  variables:
    FN_NAME: "my-awesome-function"

phases:
  install:
    commands:
      - mkdir -p target
      - printenv >> target/metadata
  build:
    commands:
      - docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -t ${FN_NAME} .
      - docker run -v $(pwd)/target:/tmp/target ${FN_NAME} cp /opt/artifact.zip /tmp/target/

artifacts:
  files:
    - '**/*'
  base-directory: target

Ideally if I pass -c to CodeBuild Local then AWS_CONTAINER_CREDENTIALS_RELATIVE_URI has a little service that passes the "role" along.

@joekiller
Copy link
Contributor Author

Typically we work around this problem in a "local build" because we just run the docker build locally and mount in our .aws directory via -v ~/.aws:/root/.aws:ro. Adding the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI would allow us to adopt using CodeBuild Local for our build flow thus reducing ops build message commit hell.

@joekiller
Copy link
Contributor Author

Y'all should grab something from the recent ECS local service: https://aws.amazon.com/blogs/compute/a-guide-to-locally-testing-containers-with-amazon-ecs-local-endpoints-and-docker-compose/

@joekiller
Copy link
Contributor Author

Hi I was able to get everything working by running the ECS Local Container Endpoints and updating my iptables to route requests to it per

https://github.com/awslabs/amazon-ecs-local-container-endpoints#option-2-set-up-iptables-rules

I also had to provide an environment variable file:

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/creds

And then I could run:

codebuild_build.sh -c -i 'aws/codebuild/docker:18.09.0' -a /tmp -e local_build_env

And even my docker containers got IAM credentials. Local CodeBuild nirvana!

@joekiller
Copy link
Contributor Author

joekiller commented Apr 3, 2019
edited
Loading

PS on macOS you can do

sudo ifconfig lo0 alias 169.254.170.2 255.255.255.255

and then

docker run -d -p 80:51679 \
-v /var/run:/var/run \
-v $HOME/.aws/:/home/.aws/ \
-e "ECS_LOCAL_METADATA_PORT=51679" \
--name ecs-local-endpoints \
amazon/amazon-ecs-local-container-endpoints:latest

and that should make it work on docker desktop for macos.

to remove the alias do

sudo ifconfig lo0 -alias 169.254.170.2

@alexanderpolson
Copy link

For those that have come here and here and are having trouble with SSO-based credentials, check out this issue for a fix:
awslabs/amazon-ecs-local-container-endpoints#51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joekiller @alexanderpolson @subinataws