在CodeBuild Maven作业上使用适当的ECS凭证 [英] Use appropriate ECS credentials on CodeBuild maven job
问题描述
我试图在我的mvn命令中使用CodeBuild服务角色,但是它似乎没有获得适当的IAM权限.我正在使用 s3-wagon-private插件,该插件确实在使用DefaultAWSCredentialsProviderChain
的最新版本,其中包括EC2ContainerCredentialsProviderWrapper
,因此我认为它应该在CodeBuild容器上使用CodeBuild角色.该角色对我尝试使用s3-wagon-private访问的S3存储库具有适当的权限.
I am trying to use the CodeBuild service role in my mvn command, but it does not seem to be picking up the appropriate IAM permissions. I am using s3-wagon-private plugin which does appear to use a recent version of DefaultAWSCredentialsProviderChain
that includes EC2ContainerCredentialsProviderWrapper
, so I thought it should use the CodeBuild role on the CodeBuild container. That role has the appropriate permissions to the S3 repo I am trying to access with the s3-wagon-private.
但是,似乎在不使用Clojure项目和project.cloj的情况下,默认情况下它将不使用DefaultAWSCredentialsProviderChain
.我看过 Spring AWS Maven 和
But it appears that without using a Clojure project and a project.cloj, then it will not use the DefaultAWSCredentialsProviderChain
by default. I have looked at Spring AWS Maven and Maven S3 Wagon but both are using a version of the DefaultAWSCredentialsProviderChain
prior to the addition of the ECS credentials (AWS SDK ~1.11.14) and haven't seen much update to them so not overly confident we could get the SDK version updated/tested/released.
有人知道使用S3作为最新版本的DefaultCredentialProviderChain
的Maven存储库的简单方法吗?
Does anyone know of a simple means for using S3 as maven repo with a recent version of the DefaultCredentialProviderChain
?
推荐答案
在使用AWS容器时(如CodeBuild一样).实例元数据与通常的http://169.254.169.254/latest/meta-data/
When using AWS Containers (Like CodeBuild does). The instance metadata is at a different location to the usual http://169.254.169.254/latest/meta-data/
相反. AWS设置环境变量$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
指向正确的URI以获得元数据.为了担当IAM角色,AWS开发工具包和其他工具都需要执行此操作.
Instead. AWS sets an Environment variable $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
which points to the correct URI to obtain metadata. This is required by the AWS SDK's and other tools in order to assume an IAM Role.
AWS容器上的正确URL是:
The correct URL on an AWS Container is:
http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
当前受支持的AWS开发工具包支持此功能,但较旧的工具可能缺少此功能. AWS实例元数据文档对此进行了解释更多细节.
Currently supported AWS SDK's support this feature, but it may be lacking on older tools. The AWS Instance Metadata documentation explains it it more detail.
这篇关于在CodeBuild Maven作业上使用适当的ECS凭证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!