在Docker容器内传递AWS CodeBuild IAM角色[无法找到凭证] [英] Pass AWS CodeBuild IAM Role inside Docker container [unable to locate credentials]

问题描述

在CodeBuild项目上配置的角色在运行时环境下可以正常工作，但是当我们从容器内部运行命令时，该角色不起作用，它说无法找到凭据".
让我知道如何在容器内部立即使用该角色.

The role configured on CodeBuild project works fine with the runtime environment but doesn't work when we run a command from inside the container, it says "unable to locate credentials".
Let me know how can we use the role out of the box inside the container.

推荐答案

您可以使用凭据源"EcsContainer"无缝地扮演角色，而无需在buildspec.yml中导出新凭据.

You can make use of credential source "EcsContainer" to assume role seamlessly without having to export new credentials in your buildspec.yml.

credential_source-用于获取初始假定角色调用的凭据的凭据提供程序.不能与source_profile一起提供此参数.有效值为:

credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile. Valid values are:

• 从环境变量中提取源凭据的环境.
• Ec2InstanceMetadata，以将EC2实例角色用作源凭据.
• EcsContainer，将ECS容器凭据用作源凭据.

来自: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html

步骤:

第0步:创建一个新角色'arn:aws:iam :: 0000000000:role/RoleToBeAssumed'并附加所需的策略，以提供构建期间正在运行的命令所需的权限.

Step-0: Create a new Role 'arn:aws:iam::0000000000:role/RoleToBeAssumed' and attach required policies to provide the permission required for the commands you are running during the build.

步骤1:向您的CodeBuild服务角色添加sts:assumeRole权限.这是一个示例策略:

Step-1: Add sts:assumeRole permissions to your CodeBuild Service Role. Here is a sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "arn:aws:iam::0000000000:role/RoleToBeAssumed"
        }
    ]
}

步骤2:将构建容器配置为使用凭据元数据作为承担角色的来源.这是一个buildspec示例:

Step-2: Configure your build container to use the credential metadata as source for assuming the role. Here is a buildspec example:

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 8
    commands:
      - aws sts get-caller-identity
      - mkdir ~/.aws/ && touch ~/.aws/config
      - echo "[profile buildprofile]" > ~/.aws/config
      - echo "role_arn = arn:aws:iam::0000000000:role/RoleToBeAssumed" >> ~/.aws/config
      - echo "credential_source = EcsContainer" >> ~/.aws/config
      - aws sts get-caller-identity --profile buildprofile

这篇关于在Docker容器内传递AWS CodeBuild IAM角色[无法找到凭证]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！