Support AWS IAM Role credentials #81
Comments
|
This sounds like a useful feature to me. Do you know what changes would be needed to make this happen? |
|
AWS SDKs have built-in functionality to first check these standardized environment variables for credentials:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_DEFAULT_REGION
These environment variables are automatically populated by the AWS EC2 when running under an IAM Role.
This check for credentials is automatically performed when the SDK constructor is not provided any credentials.
If Sleet is using the AWS SDK for S3, a possible change would be to support a sleet.json file that doesn’t require any credentials. Or has a setting for “useIAMRole”: “true”.
Sleet would then call the AmazonS3Client without any credentials and allow the SDK to find the credentials in the environment variables.
From: Justin Emgarten <notifications@github.com>
Sent: Thursday, June 20, 2019 2:27 PM
To: emgarten/Sleet <Sleet@noreply.github.com>
Cc: medianotion <david.hart@medianotion.com>; Author <author@noreply.github.com>
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
This sounds like a useful feature to me. Do you know what changes would be needed to make this happen?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#81?email_source=notifications&email_token=AIMMCF2YUIHVTNQ37GAG3MDP3PKWNA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGL7UA#issuecomment-504152016> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AIMMCF45IYIPZ5I3Z3SVEZLP3PKWNANCNFSM4HZ2M46A> . <https://github.com/notifications/beacon/AIMMCFY24QW4QNAG3ORBSQTP3PKWNA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGL7UA.gif>
|
|
Setting Does this work for your environment, or do you still need env var support? |
|
Yes, I need the environment variables. It is more secure because the IAM Role credentials that are set in the environment variables are short term credentials that expire. It saves the user of Sleet from having to create long term credentials that must be secured, rotated, etc.
From: Justin Emgarten <notifications@github.com>
Sent: Thursday, June 20, 2019 4:20 PM
To: emgarten/Sleet <Sleet@noreply.github.com>
Cc: medianotion <david.hart@medianotion.com>; Author <author@noreply.github.com>
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Setting profileName in sleet.json is supported today. You can see the change here: https://github.com/emgarten/Sleet/pull/54/files
Does this work for your environment, or do you still need env var support?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#81?email_source=notifications&email_token=AIMMCF2M3IL6YIJ6L2V6ODDP3PX7DA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGWONQ#issuecomment-504194870> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AIMMCFZITUOX2XIM7Y7RNADP3PX7DANCNFSM4HZ2M46A> . <https://github.com/notifications/beacon/AIMMCFYFSW252PXP66GMH6TP3PX7DA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYGWONQ.gif>
|
|
I will just add that I'm currently evaluating using Sleet for a project I'm working on, and the lack of support for environment variables makes Sleet a non-starter for me. In the specific case of a short-term credential (such as what Unfortunately, if a profile is explicitly provided, it overrides the ambient credentials from the environment, which means that there is no way to include the session token, even if it is present. This is especially problematic in a situation where you have multiple Amazon accounts involved, since in a typical configuration, the credentials that can be selected using a profile would not have sufficient permissions to actually interact with an S3 bucket in a different account. Separately from that, if running on an EC2 instance with an Instance Role assigned, the credentials that you want to use will need to be retrieved from the EC2 metadata API. The Amazon SDK classes already know about this and will fall back to the Instance Profile service on the metadata API endpoint automatically if no other credentials are present. I believe that the code change required to do this is simple. You just need to allow omitting both the profile and the access key from the If you wanted to be more explicit about it, you could also provide a dedicated config value in I'm happy to try to put together a pull request for this if it would help. |
|
@dpryden a PR for this would be great! I'm happy to help out, so if you have an issues once you get into it just create a work in progress PR and ping me on it. I don't understand S3 credentials as well as Azure, so if you can make a change and verify that it works correctly in your EC2 environment it would be a big help for this. I'm fine with leaving out the additional Also, docs for S3 sleet are here: https://github.com/emgarten/Sleet/blob/master/doc/feed-type-s3.md If you create a PR feel free to add an example of the sleet.json needed to use the feature. S3 seems to be the most popular host for Sleet feeds, so I'm sure others will want to use this feature as well. |
|
@medianotion have you a chance to look at this? |
|
I have.
I would prefer an explicit json attribute indicating that sleet should use role based authentication. This would allow sleet to not assume the user wants to use role based authentication over long term credentials.
However, I would be happy with any implementation that allowed for role based authentication.
…Sent from my iPhone
On Sep 5, 2019, at 3:42 PM, Justin Emgarten ***@***.***> wrote:
@medianotion have you a chance to look at this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
This change is in https://www.nuget.org/packages/Sleet/3.0.5 |
|
Thanks Justin,
Tried this out and it seems to all work as expected. Thank you for writing Sleet - we’re finding it very useful to maintain our NuGet repo on S3.
Iain
…________________________________
From: Justin Emgarten <notifications@github.com>
Sent: Thursday, September 26, 2019 3:27 am
To: emgarten/Sleet
Cc: iainb123; Mention
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
This change is in https://www.nuget.org/packages/Sleet/3.0.5
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#81?email_source=notifications&email_token=AGIRDGVY2YP2UPL4IFVPQLDQLQM2VA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7UBKOI#issuecomment-535303481>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGIRDGRRIHT3AAQM6LUQT3TQLQM2VANCNFSM4HZ2M46A>.
|
|
Thanks for putting together that fix, @iainb123. My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it. One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API ( My recommendation is to rip out all of this error handling code and instead just call |
|
Thanks Daniel,
GetCallerIdentity looks like a much nicer and more general solution. The existing code fixes our GitLab builds, but should be able to try this next week.
Iain
…________________________________
From: Daniel Pryden <notifications@github.com>
Sent: Thursday, September 26, 2019 12:40 pm
To: emgarten/Sleet
Cc: iainb123; Mention
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123<https://github.com/iainb123>. My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just callsts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity,then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#81?email_source=notifications&email_token=AGIRDGXOJULAI63IGWA5ELLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGIRDGWLGILZY7E3UGMFJ53QLSNRJANCNFSM4HZ2M46A>.
|
|
Thank you for your efforts.
However, it is not working in CodeBuild using a IAM Role and no credentials set in the sleet.json. Attached is my CodeBuild log.
The container running the CodeBuild has a valid AWS Role assigned to it.
I altered the build script to show that the container can call out to the metadata server and get valid credentials. I echoed the creds returned. I intentionally removed the AWS Key that was returned for security reasons.
If you look at the bottom of the log you will see that Sleet errors “attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so”.
Please let me know if you have any questions.
From: Daniel Pryden <notifications@github.com>
Sent: Thursday, September 26, 2019 6:40 AM
To: emgarten/Sleet <Sleet@noreply.github.com>
Cc: medianotion <david.hart@medianotion.com>; Mention <mention@noreply.github.com>
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123 <https://github.com/iainb123> . My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#81?email_source=notifications&email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AIMMCF7BUWCYIKI2LBNIC4DQLSNRJANCNFSM4HZ2M46A> . <https://github.com/notifications/beacon/AIMMCF6B7H2P4ELJSBHFGNTQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA.gif>
[Container] 2019/09/26 15:04:54 Waiting for agent ping
[Container] 2019/09/26 15:04:54 Waiting for DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 Phase is DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 CODEBUILD_SRC_DIR=C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:04:54 YAML location is C:\codebuild\readonly\buildspec.yml
[Container] 2019/09/26 15:04:54 Processing environment variables
[Container] 2019/09/26 15:04:54 Decrypting parameter store environment variables
[Container] 2019/09/26 15:05:03 Moving to directory C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:05:06 Registering with agent
[Container] 2019/09/26 15:05:06 Phases found in YAML: 3
[Container] 2019/09/26 15:05:06 INSTALL: 5 commands
[Container] 2019/09/26 15:05:06 BUILD: 5 commands
[Container] 2019/09/26 15:05:06 POST_BUILD: 3 commands
[Container] 2019/09/26 15:05:06 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2019/09/26 15:05:06 Phase context status code: Message:
[Container] 2019/09/26 15:05:06 Entering phase INSTALL
[Container] 2019/09/26 15:05:06 Running command aws s3 cp s3://aesto-nuget/codebuild/sleet.json sleet.json
Completed 332 Bytes/332 Bytes (3.6 KiB/s) with 1 file(s) remaining
download: s3://aesto-nuget/codebuild/sleet.json to .\sleet.json
[Container] 2019/09/26 15:05:12 Running command $creds_url = "http://169.254.170.2" + $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
[Container] 2019/09/26 15:05:15 Running command $creds_output = (New-Object System.Net.WebClient).DownloadString($creds_url)
[Container] 2019/09/26 15:05:18 Running command echo $creds_output
{"RoleArn":"AQICAHjf4Z7XKaJEIJTm4BPXVpqbE3boycdmzg3atIoxHNpzMAHomxbnpoUwUrp8dH4Omc74AAABADCB/QYJKoZIhvcNAQcGoIHvMIHsAgEAMIHmBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDM5vJ9Lcacom5MZBNwIBEICBuICII9vlk2FARTNp9GkzBByhxVMoPi+xqBrRjJSrp1EpVvWwF8GIhiNnWS0QLsU5x8ALfKhBwngwzj9MMOQFc8ABTx2uwfjOJvzVKKZ4E+czNYHDVOBNNuI6Nkx0H9tsgkDH8EdHCkqEo1fm6l9kv9iPvebbYpo6BNPvU12/L8y0cf/HFUbx1ONqbnE0pPnjwkp60ZfikjJ3rmzhM3EKpdU31EcZCO8UH4Won8KqzmiHMBtferWrpj8=","AccessKeyId":"Intentionally-removed","SecretAccessKey":"TkV6huQvGY0y6tEjix+Kf4c8D76Dnv5ze4tKZRmv","Token":"AgoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJIMEYCIQDGHRFPuC3LgHq4mfPO45uADHP+82aDsA1GR6aBmUtHrwIhAIY8UPI0zTDGzzOUPYTU/BrW29kywssi3zxD8DwKDGdzKqMECGAQARoMMDk5NDU1OTI2NDc0Igz0BfzmYqU4B/A6wIMqgAQR2noxVQqpzkk2o2eOD6tb8t5KxI0Rr6Fi+wCgeg3eo/KFBjkNXxvCqn80xg/+G2WpKEBpLYKje0a/40BOaGBdM817IO8er0nGcHbdwcK2PVZ7Pk7I1T6Ug4If+uZRfs+Io6NQ/UsZNz+F4hEaC7sj9yfyuP+Oc6aHOTu6/Ek5zEt6U87J+nY0oTkZSFlt+peQXKj1CsUSKbvGMDb7Fu+z3vaA+8xzD5ARggy7Z3JuLtfMu6GRE6RG11cChdQTlurARBEF+X08/W0FnDhsc3/H1Ql7UohKG/cjhPsF5zf3lzewYHloG6cWUAmNlT3kH/p2s2c6Jw6YHEJ0GrYD3g5vaVE4csMh/xPy/t8Z93mPS9TrYsaQzaqI97Gx663p9FL1EfbX4Nj5RAUi6X2GO4lwqVCogyYI/3/1B0m/MNAFAokNqBZGzOcp5y6uukjJLwrvSqTDO3QO9NAZBJz7nzLEaJ8ktkJMuZGw2O3l7GfWkSJS2fFAx5B2/YFviqvUr5EfZ7A4sCk3qjrrnFd06WchA0V6uO+b+V0/w2709D4geZkr76tC0iTzuxUjWt4Ogu4cP7MZpq9aA5/2cDgjlq2/rXWXSDNMkCzs/A3pOPquky1z6Z3QT5IIgQfVFDQ07AP/pFrsV1zng1TrkkmeLl/kdf0DPpGymHxseYDsI67tAzDiprPsBTqzAfzXBYeg4aYo7hGjjm2pTF1pne2eC6/3GDrceV3cbYl04axu0JmrKwLf8hGpFUjM4hatpR/wacHmwZ/SLEnLVIsFMrfQBQKqeI8bV5sU2l9An6FWjRhM7ty3FOwcPkUzkNRW8Q1bUeDlECJjazytNYyJhrJVI0iAu57/iGQpMq4G1Uf7YRtmNzTqLnaBNNWzma8+Ws3oALW036dHl1JU5ggzsOkdEN3Ivxg6JXXsv+9z9mV/","Expiration":"2019-09-26T16:04:02Z"}
[Container] 2019/09/26 15:05:22 Running command dotnet tool install -g sleet
You can invoke the tool using the following command: sleet
Tool 'sleet' (version '3.0.5') was successfully installed.
[Container] 2019/09/26 15:05:27 Phase complete: INSTALL State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase PRE_BUILD
[Container] 2019/09/26 15:05:27 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase BUILD
[Container] 2019/09/26 15:05:27 Running command $proj_dir = (Get-ChildItem -Filter *.csproj -Recurse | Select-Object -First 1).Directory.Name
[Container] 2019/09/26 15:05:30 Running command cd $proj_dir
[Container] 2019/09/26 15:05:33 Running command nuget sources add -name "aesto" -source https://d1uowoilelxe35.cloudfront.net/index.json -username nugetUser -password $env:NUGET_PASSWORD
Package Source with Name: aesto added successfully.
[Container] 2019/09/26 15:05:38 Running command dotnet restore --disable-parallel --force --no-cache
Restoring packages for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj...
Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.props.
Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.targets.
Restore completed in 135.79 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
[Container] 2019/09/26 15:05:42 Running command dotnet build
Microsoft (R) Build Engine version 15.7.179.6572 for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.
Restore completed in 30.67 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
encryption -> C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\netstandard2.0\encryption.dll
Successfully created package 'C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\Security.Encryption.1.0.1.nupkg'.
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:02.00
[Container] 2019/09/26 15:05:47 Phase complete: BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:47 Phase context status code: Message:
[Container] 2019/09/26 15:05:47 Entering phase POST_BUILD
[Container] 2019/09/26 15:05:47 Running command cd bin\Debug
[Container] 2019/09/26 15:05:50 Running command $nuget_pkg = (Get-ChildItem -Filter *.nupkg | Select-Object -Last 1).Name
[Container] 2019/09/26 15:05:53 Running command if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }
[System.ArgumentException] As no credentials are set in the configuration attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so (is this an EC2 instance with an IAM role assigned?): Error reaching AWS metadata server
[Container] 2019/09/26 15:05:57 Command did not exit successfully if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } exit status 1
[Container] 2019/09/26 15:06:00 Phase complete: POST_BUILD State: FAILED
[Container] 2019/09/26 15:06:00 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }. Reason: exit status 1
[Container] 2019/09/26 15:06:00 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2019/09/26 15:06:00 Phase context status code: Message:
|
|
You seem to be using a different metadata server – do you know why is it on 169.254.170.2 and not 169.254.169.254?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
I find this works on an EC2 instance spun up by GitLab with an IAM role, but perhaps this is an unusual case!
Iain
From: medianotion <notifications@github.com>
Reply to: emgarten/Sleet <reply@reply.github.com>
Date: Thursday, 26 September 2019 at 16:17
To: emgarten/Sleet <Sleet@noreply.github.com>
Cc: Iain Buchanan <iainbuc@gmail.com>, Mention <mention@noreply.github.com>
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thank you for your efforts.
However, it is not working in CodeBuild using a IAM Role and no credentials set in the sleet.json. Attached is my CodeBuild log.
The container running the CodeBuild has a valid AWS Role assigned to it.
I altered the build script to show that the container can call out to the metadata server and get valid credentials. I echoed the creds returned. I intentionally removed the AWS Key that was returned for security reasons.
If you look at the bottom of the log you will see that Sleet errors “attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so”.
Please let me know if you have any questions.
From: Daniel Pryden <notifications@github.com>
Sent: Thursday, September 26, 2019 6:40 AM
To: emgarten/Sleet <Sleet@noreply.github.com>
Cc: medianotion <david.hart@medianotion.com>; Mention <mention@noreply.github.com>
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123 <https://github.com/iainb123> . My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#81?email_source=notifications&email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AIMMCF7BUWCYIKI2LBNIC4DQLSNRJANCNFSM4HZ2M46A> . <https://github.com/notifications/beacon/AIMMCF6B7H2P4ELJSBHFGNTQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA.gif>
[Container] 2019/09/26 15:04:54 Waiting for agent ping
[Container] 2019/09/26 15:04:54 Waiting for DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 Phase is DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 CODEBUILD_SRC_DIR=C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:04:54 YAML location is C:\codebuild\readonly\buildspec.yml
[Container] 2019/09/26 15:04:54 Processing environment variables
[Container] 2019/09/26 15:04:54 Decrypting parameter store environment variables
[Container] 2019/09/26 15:05:03 Moving to directory C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:05:06 Registering with agent
[Container] 2019/09/26 15:05:06 Phases found in YAML: 3
[Container] 2019/09/26 15:05:06 INSTALL: 5 commands
[Container] 2019/09/26 15:05:06 BUILD: 5 commands
[Container] 2019/09/26 15:05:06 POST_BUILD: 3 commands
[Container] 2019/09/26 15:05:06 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2019/09/26 15:05:06 Phase context status code: Message:
[Container] 2019/09/26 15:05:06 Entering phase INSTALL
[Container] 2019/09/26 15:05:06 Running command aws s3 cp s3://aesto-nuget/codebuild/sleet.json sleet.json
Completed 332 Bytes/332 Bytes (3.6 KiB/s) with 1 file(s) remaining
download: s3://aesto-nuget/codebuild/sleet.json to .\sleet.json
[Container] 2019/09/26 15:05:12 Running command $creds_url = "http://169.254.170.2" + $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
[Container] 2019/09/26 15:05:15 Running command $creds_output = (New-Object System.Net.WebClient).DownloadString($creds_url)
[Container] 2019/09/26 15:05:18 Running command echo $creds_output
{"RoleArn":"AQICAHjf4Z7XKaJEIJTm4BPXVpqbE3boycdmzg3atIoxHNpzMAHomxbnpoUwUrp8dH4Omc74AAABADCB/QYJKoZIhvcNAQcGoIHvMIHsAgEAMIHmBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDM5vJ9Lcacom5MZBNwIBEICBuICII9vlk2FARTNp9GkzBByhxVMoPi+xqBrRjJSrp1EpVvWwF8GIhiNnWS0QLsU5x8ALfKhBwngwzj9MMOQFc8ABTx2uwfjOJvzVKKZ4E+czNYHDVOBNNuI6Nkx0H9tsgkDH8EdHCkqEo1fm6l9kv9iPvebbYpo6BNPvU12/L8y0cf/HFUbx1ONqbnE0pPnjwkp60ZfikjJ3rmzhM3EKpdU31EcZCO8UH4Won8KqzmiHMBtferWrpj8=","AccessKeyId":"Intentionally-removed","SecretAccessKey":"TkV6huQvGY0y6tEjix+Kf4c8D76Dnv5ze4tKZRmv","Token":"AgoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJIMEYCIQDGHRFPuC3LgHq4mfPO45uADHP+82aDsA1GR6aBmUtHrwIhAIY8UPI0zTDGzzOUPYTU/BrW29kywssi3zxD8DwKDGdzKqMECGAQARoMMDk5NDU1OTI2NDc0Igz0BfzmYqU4B/A6wIMqgAQR2noxVQqpzkk2o2eOD6tb8t5KxI0Rr6Fi+wCgeg3eo/KFBjkNXxvCqn80xg/+G2WpKEBpLYKje0a/40BOaGBdM817IO8er0nGcHbdwcK2PVZ7Pk7I1T6Ug4If+uZRfs+Io6NQ/UsZNz+F4hEaC7sj9yfyuP+Oc6aHOTu6/Ek5zEt6U87J+nY0oTkZSFlt+peQXKj1CsUSKbvGMDb7Fu+z3vaA+8xzD5ARggy7Z3JuLtfMu6GRE6RG11cChdQTlurARBEF+X08/W0FnDhsc3/H1Ql7UohKG/cjhPsF5zf3lzewYHloG6cWUAmNlT3kH/p2s2c6Jw6YHEJ0GrYD3g5vaVE4csMh/xPy/t8Z93mPS9TrYsaQzaqI97Gx663p9FL1EfbX4Nj5RAUi6X2GO4lwqVCogyYI/3/1B0m/MNAFAokNqBZGzOcp5y6uukjJLwrvSqTDO3QO9NAZBJz7nzLEaJ8ktkJMuZGw2O3l7GfWkSJS2fFAx5B2/YFviqvUr5EfZ7A4sCk3qjrrnFd06WchA0V6uO+b+V0/w2709D4geZkr76tC0iTzuxUjWt4Ogu4cP7MZpq9aA5/2cDgjlq2/rXWXSDNMkCzs/A3pOPquky1z6Z3QT5IIgQfVFDQ07AP/pFrsV1zng1TrkkmeLl/kdf0DPpGymHxseYDsI67tAzDiprPsBTqzAfzXBYeg4aYo7hGjjm2pTF1pne2eC6/3GDrceV3cbYl04axu0JmrKwLf8hGpFUjM4hatpR/wacHmwZ/SLEnLVIsFMrfQBQKqeI8bV5sU2l9An6FWjRhM7ty3FOwcPkUzkNRW8Q1bUeDlECJjazytNYyJhrJVI0iAu57/iGQpMq4G1Uf7YRtmNzTqLnaBNNWzma8+Ws3oALW036dHl1JU5ggzsOkdEN3Ivxg6JXXsv+9z9mV/","Expiration":"2019-09-26T16:04:02Z"}
[Container] 2019/09/26 15:05:22 Running command dotnet tool install -g sleet
You can invoke the tool using the following command: sleet
Tool 'sleet' (version '3.0.5') was successfully installed.
[Container] 2019/09/26 15:05:27 Phase complete: INSTALL State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase PRE_BUILD
[Container] 2019/09/26 15:05:27 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase BUILD
[Container] 2019/09/26 15:05:27 Running command $proj_dir = (Get-ChildItem -Filter *.csproj -Recurse | Select-Object -First 1).Directory.Name
[Container] 2019/09/26 15:05:30 Running command cd $proj_dir
[Container] 2019/09/26 15:05:33 Running command nuget sources add -name "aesto" -source https://d1uowoilelxe35.cloudfront.net/index.json -username nugetUser -password $env:NUGET_PASSWORD
Package Source with Name: aesto added successfully.
[Container] 2019/09/26 15:05:38 Running command dotnet restore --disable-parallel --force --no-cache
Restoring packages for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj...
Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.props.
Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.targets.
Restore completed in 135.79 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
[Container] 2019/09/26 15:05:42 Running command dotnet build
Microsoft (R) Build Engine version 15.7.179.6572 for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.
Restore completed in 30.67 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
encryption -> C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\netstandard2.0\encryption.dll
Successfully created package 'C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\Security.Encryption.1.0.1.nupkg'.
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:02.00
[Container] 2019/09/26 15:05:47 Phase complete: BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:47 Phase context status code: Message:
[Container] 2019/09/26 15:05:47 Entering phase POST_BUILD
[Container] 2019/09/26 15:05:47 Running command cd bin\Debug
[Container] 2019/09/26 15:05:50 Running command $nuget_pkg = (Get-ChildItem -Filter *.nupkg | Select-Object -Last 1).Name
[Container] 2019/09/26 15:05:53 Running command if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }
[System.ArgumentException] As no credentials are set in the configuration attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so (is this an EC2 instance with an IAM role assigned?): Error reaching AWS metadata server
[Container] 2019/09/26 15:05:57 Command did not exit successfully if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } exit status 1
[Container] 2019/09/26 15:06:00 Phase complete: POST_BUILD State: FAILED
[Container] 2019/09/26 15:06:00 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }. Reason: exit status 1
[Container] 2019/09/26 15:06:00 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2019/09/26 15:06:00 Phase context status code: Message:
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#81?email_source=notifications&email_token=AGIRDGUYBZRTBW54BQ54GMTQLTHARA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V6JIY#issuecomment-535553187>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGIRDGXSAZAN7S3F2BFCD7DQLTHARANCNFSM4HZ2M46A>.
|
|
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html
I tried switching to 169.254.169.254 and it failed.
I haven’t gotten deep into the Sleet code. I remember glancing at it months ago and thinking it wasn’t using the standard AWS SDK calls. Maybe I am wrong. If I am right, hard coding metadata urls and manually populating the key, secret and session is doing the work the SDK already does for us. I would recommend changing to use the AWS SDK … again if it is already not using it.
From: iainb123 <notifications@github.com>
Sent: Thursday, September 26, 2019 10:30 AM
To: emgarten/Sleet <Sleet@noreply.github.com>
Cc: medianotion <david.hart@medianotion.com>; Mention <mention@noreply.github.com>
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
You seem to be using a different metadata server – do you know why is it on 169.254.170.2 and not 169.254.169.254?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
I find this works on an EC2 instance spun up by GitLab with an IAM role, but perhaps this is an unusual case!
Iain
From: medianotion <notifications@github.com <mailto:notifications@github.com> >
Reply to: emgarten/Sleet <reply@reply.github.com <mailto:reply@reply.github.com> >
Date: Thursday, 26 September 2019 at 16:17
To: emgarten/Sleet <Sleet@noreply.github.com <mailto:Sleet@noreply.github.com> >
Cc: Iain Buchanan <iainbuc@gmail.com <mailto:iainbuc@gmail.com> >, Mention <mention@noreply.github.com <mailto:mention@noreply.github.com> >
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thank you for your efforts.
However, it is not working in CodeBuild using a IAM Role and no credentials set in the sleet.json. Attached is my CodeBuild log.
The container running the CodeBuild has a valid AWS Role assigned to it.
I altered the build script to show that the container can call out to the metadata server and get valid credentials. I echoed the creds returned. I intentionally removed the AWS Key that was returned for security reasons.
If you look at the bottom of the log you will see that Sleet errors “attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so”.
Please let me know if you have any questions.
From: Daniel Pryden <notifications@github.com <mailto:notifications@github.com> >
Sent: Thursday, September 26, 2019 6:40 AM
To: emgarten/Sleet <Sleet@noreply.github.com <mailto:Sleet@noreply.github.com> >
Cc: medianotion <david.hart@medianotion.com <mailto:david.hart@medianotion.com> >; Mention <mention@noreply.github.com <mailto:mention@noreply.github.com> >
Subject: Re: [emgarten/Sleet] Support AWS IAM Role credentials (#81)
Thanks for putting together that fix, @iainb123 <https://github.com/iainb123> . My apologies for not contributing a PR as I had said I could; I've been busy with other things and ultimately our team is not using Sleet for unrelated reasons, so it's hard to justify spending time on it.
One thing I will point out: the fix as currently implemented only will work for an EC2 Instance Profile role, since it requires the EC2 metadata API (169.254.169.254) to be accessible. This does not help for the use case I had in mind, which is an IAM Role assumed across accounts, where the access key, access secret, and session token are all in the environment.
My recommendation is to rip out all of this error handling code and instead just call sts:GetCallerIdentity (I don't know offhand where that is exposed in the C# API, though). If you get a valid caller identity, then you are good to go, regardless of what settings may or may not be present. If you don't get a valid caller identity, then you can try to throw a more helpful error message, although it's probably not helping as much as you might think it is.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#81?email_source=notifications <#81?email_source=notifications&email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720> &email_token=AIMMCF4IQD2PNSAISYMGJGLQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA#issuecomment-535464720> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AIMMCF7BUWCYIKI2LBNIC4DQLSNRJANCNFSM4HZ2M46A> . <https://github.com/notifications/beacon/AIMMCF6B7H2P4ELJSBHFGNTQLSNRJA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7VIWEA.gif>
[Container] 2019/09/26 15:04:54 Waiting for agent ping
[Container] 2019/09/26 15:04:54 Waiting for DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 Phase is DOWNLOAD_SOURCE
[Container] 2019/09/26 15:04:54 CODEBUILD_SRC_DIR=C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:04:54 YAML location is C:\codebuild\readonly\buildspec.yml
[Container] 2019/09/26 15:04:54 Processing environment variables
[Container] 2019/09/26 15:04:54 Decrypting parameter store environment variables
[Container] 2019/09/26 15:05:03 Moving to directory C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption
[Container] 2019/09/26 15:05:06 Registering with agent
[Container] 2019/09/26 15:05:06 Phases found in YAML: 3
[Container] 2019/09/26 15:05:06 INSTALL: 5 commands
[Container] 2019/09/26 15:05:06 BUILD: 5 commands
[Container] 2019/09/26 15:05:06 POST_BUILD: 3 commands
[Container] 2019/09/26 15:05:06 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2019/09/26 15:05:06 Phase context status code: Message:
[Container] 2019/09/26 15:05:06 Entering phase INSTALL
[Container] 2019/09/26 15:05:06 Running command aws s3 cp s3://aesto-nuget/codebuild/sleet.json sleet.json
Completed 332 Bytes/332 Bytes (3.6 KiB/s) with 1 file(s) remaining
download: s3://aesto-nuget/codebuild/sleet.json to .\sleet.json
[Container] 2019/09/26 15:05:12 Running command $creds_url = "http://169.254.170.2" + $env:AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
[Container] 2019/09/26 15:05:15 Running command $creds_output = (New-Object System.Net.WebClient).DownloadString($creds_url)
[Container] 2019/09/26 15:05:18 Running command echo $creds_output
{"RoleArn":"AQICAHjf4Z7XKaJEIJTm4BPXVpqbE3boycdmzg3atIoxHNpzMAHomxbnpoUwUrp8dH4Omc74AAABADCB/QYJKoZIhvcNAQcGoIHvMIHsAgEAMIHmBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDM5vJ9Lcacom5MZBNwIBEICBuICII9vlk2FARTNp9GkzBByhxVMoPi+xqBrRjJSrp1EpVvWwF8GIhiNnWS0QLsU5x8ALfKhBwngwzj9MMOQFc8ABTx2uwfjOJvzVKKZ4E+czNYHDVOBNNuI6Nkx0H9tsgkDH8EdHCkqEo1fm6l9kv9iPvebbYpo6BNPvU12/L8y0cf/HFUbx1ONqbnE0pPnjwkp60ZfikjJ3rmzhM3EKpdU31EcZCO8UH4Won8KqzmiHMBtferWrpj8=","AccessKeyId":"Intentionally-removed","SecretAccessKey":"TkV6huQvGY0y6tEjix+Kf4c8D76Dnv5ze4tKZRmv","Token":"AgoJb3JpZ2luX2VjEIf//////////wEaCXVzLWVhc3QtMSJIMEYCIQDGHRFPuC3LgHq4mfPO45uADHP+82aDsA1GR6aBmUtHrwIhAIY8UPI0zTDGzzOUPYTU/BrW29kywssi3zxD8DwKDGdzKqMECGAQARoMMDk5NDU1OTI2NDc0Igz0BfzmYqU4B/A6wIMqgAQR2noxVQqpzkk2o2eOD6tb8t5KxI0Rr6Fi+wCgeg3eo/KFBjkNXxvCqn80xg/+G2WpKEBpLYKje0a/40BOaGBdM817IO8er0nGcHbdwcK2PVZ7Pk7I1T6Ug4If+uZRfs+Io6NQ/UsZNz+F4hEaC7sj9yfyuP+Oc6aHOTu6/Ek5zEt6U87J+nY0oTkZSFlt+peQXKj1CsUSKbvGMDb7Fu+z3vaA+8xzD5ARggy7Z3JuLtfMu6GRE6RG11cChdQTlurARBEF+X08/W0FnDhsc3/H1Ql7UohKG/cjhPsF5zf3lzewYHloG6cWUAmNlT3kH/p2s2c6Jw6YHEJ0GrYD3g5vaVE4csMh/xPy/t8Z93mPS9TrYsaQzaqI97Gx663p9FL1EfbX4Nj5RAUi6X2GO4lwqVCogyYI/3/1B0m/MNAFAokNqBZGzOcp5y6uukjJLwrvSqTDO3QO9NAZBJz7nzLEaJ8ktkJMuZGw2O3l7GfWkSJS2fFAx5B2/YFviqvUr5EfZ7A4sCk3qjrrnFd06WchA0V6uO+b+V0/w2709D4geZkr76tC0iTzuxUjWt4Ogu4cP7MZpq9aA5/2cDgjlq2/rXWXSDNMkCzs/A3pOPquky1z6Z3QT5IIgQfVFDQ07AP/pFrsV1zng1TrkkmeLl/kdf0DPpGymHxseYDsI67tAzDiprPsBTqzAfzXBYeg4aYo7hGjjm2pTF1pne2eC6/3GDrceV3cbYl04axu0JmrKwLf8hGpFUjM4hatpR/wacHmwZ/SLEnLVIsFMrfQBQKqeI8bV5sU2l9An6FWjRhM7ty3FOwcPkUzkNRW8Q1bUeDlECJjazytNYyJhrJVI0iAu57/iGQpMq4G1Uf7YRtmNzTqLnaBNNWzma8+Ws3oALW036dHl1JU5ggzsOkdEN3Ivxg6JXXsv+9z9mV/","Expiration":"2019-09-26T16:04:02Z"}
[Container] 2019/09/26 15:05:22 Running command dotnet tool install -g sleet
You can invoke the tool using the following command: sleet
Tool 'sleet' (version '3.0.5') was successfully installed.
[Container] 2019/09/26 15:05:27 Phase complete: INSTALL State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase PRE_BUILD
[Container] 2019/09/26 15:05:27 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:27 Phase context status code: Message:
[Container] 2019/09/26 15:05:27 Entering phase BUILD
[Container] 2019/09/26 15:05:27 Running command $proj_dir = (Get-ChildItem -Filter *.csproj -Recurse | Select-Object -First 1).Directory.Name
[Container] 2019/09/26 15:05:30 Running command cd $proj_dir
[Container] 2019/09/26 15:05:33 Running command nuget sources add -name "aesto" -source https://d1uowoilelxe35.cloudfront.net/index.json -username nugetUser -password $env:NUGET_PASSWORD
Package Source with Name: aesto added successfully.
[Container] 2019/09/26 15:05:38 Running command dotnet restore --disable-parallel --force --no-cache
Restoring packages for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj...
Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.props.
Generating MSBuild file C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\obj\encryption.csproj.nuget.g.targets.
Restore completed in 135.79 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
[Container] 2019/09/26 15:05:42 Running command dotnet build
Microsoft (R) Build Engine version 15.7.179.6572 for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.
Restore completed in 30.67 ms for C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\encryption.csproj.
encryption -> C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\netstandard2.0\encryption.dll
Successfully created package 'C:\codebuild\tmp\output\src723158203\src\git-codecommit.us-east-1.amazonaws.com\v1\repos\dotnet-encryption\encryption\bin\Debug\Security.Encryption.1.0.1.nupkg'.
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:02.00
[Container] 2019/09/26 15:05:47 Phase complete: BUILD State: SUCCEEDED
[Container] 2019/09/26 15:05:47 Phase context status code: Message:
[Container] 2019/09/26 15:05:47 Entering phase POST_BUILD
[Container] 2019/09/26 15:05:47 Running command cd bin\Debug
[Container] 2019/09/26 15:05:50 Running command $nuget_pkg = (Get-ChildItem -Filter *.nupkg | Select-Object -Last 1).Name
[Container] 2019/09/26 15:05:53 Running command if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }
[System.ArgumentException] As no credentials are set in the configuration attempted to verify that an IAM role is assigned to this EC2 instance, but was unable to do so (is this an EC2 instance with an IAM role assigned?): Error reaching AWS metadata server
[Container] 2019/09/26 15:05:57 Command did not exit successfully if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") } exit status 1
[Container] 2019/09/26 15:06:00 Phase complete: POST_BUILD State: FAILED
[Container] 2019/09/26 15:06:00 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: if ($nuget_pkg) { sleet push $nuget_pkg -s aesto } else { write-host("No nuget package to push.") }. Reason: exit status 1
[Container] 2019/09/26 15:06:00 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2019/09/26 15:06:00 Phase context status code: Message:
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#81?email_source=notifications <#81?email_source=notifications&email_token=AGIRDGUYBZRTBW54BQ54GMTQLTHARA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V6JIY#issuecomment-535553187> &email_token=AGIRDGUYBZRTBW54BQ54GMTQLTHARA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V6JIY#issuecomment-535553187>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AGIRDGXSAZAN7S3F2BFCD7DQLTHARANCNFSM4HZ2M46A>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#81?email_source=notifications&email_token=AIMMCF4FOAVL4AFVZUT2RL3QLTIOXA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V7U7I#issuecomment-535558781> , or mute the thread <https://github.com/notifications/unsubscribe-auth/AIMMCF7E56MANUBGHMTAKF3QLTIOXANCNFSM4HZ2M46A> . <https://github.com/notifications/beacon/AIMMCF2XSR5MFM4QSUKTD4DQLTIOXA5CNFSM4HZ2M46KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7V7U7I.gif>
|
|
Fixed in #91 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Provide support for AWS IAM Role credentials rather than having to set long term credentials in the sleet.json or reference a user's .aws profile. This would allow Sleet to be used with automated build processes that run under an IAM Role and be more secure.
The text was updated successfully, but these errors were encountered: