在Docker容器内传递AWS CodeBuild IAM角色[无法找到凭证] [英] Pass AWS CodeBuild IAM Role inside Docker container [unable to locate credentials]
问题描述
在CodeBuild项目上配置的角色在运行时环境下可以正常工作,但是当我们从容器内部运行命令时,该角色不起作用,它说无法找到凭据".
让我知道如何在容器内部立即使用该角色.
The role configured on CodeBuild project works fine with the runtime environment but doesn't work when we run a command from inside the container, it says "unable to locate credentials".
Let me know how can we use the role out of the box inside the container.
推荐答案
您可以使用凭据源"EcsContainer"无缝地扮演角色,而无需在buildspec.yml中导出新凭据.
You can make use of credential source "EcsContainer" to assume role seamlessly without having to export new credentials in your buildspec.yml.
credential_source-用于获取初始假定角色调用的凭据的凭据提供程序.不能与source_profile一起提供此参数.有效值为:
credential_source - The credential provider to use to get credentials for the initial assume-role call. This parameter cannot be provided alongside source_profile. Valid values are:
- 从环境变量中提取源凭据的环境.
- Ec2InstanceMetadata,以将EC2实例角色用作源凭据.
- EcsContainer,将ECS容器凭据用作源凭据.
来自: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
步骤:
第0步:创建一个新角色'arn:aws:iam :: 0000000000:role/RoleToBeAssumed'并附加所需的策略,以提供构建期间正在运行的命令所需的权限.
Step-0: Create a new Role 'arn:aws:iam::0000000000:role/RoleToBeAssumed' and attach required policies to provide the permission required for the commands you are running during the build.
步骤1:向您的CodeBuild服务角色添加sts:assumeRole权限.这是一个示例策略:
Step-1: Add sts:assumeRole permissions to your CodeBuild Service Role. Here is a sample policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:*",
"Resource": "arn:aws:iam::0000000000:role/RoleToBeAssumed"
}
]
}
步骤2:将构建容器配置为使用凭据元数据作为承担角色的来源.这是一个buildspec示例:
Step-2: Configure your build container to use the credential metadata as source for assuming the role. Here is a buildspec example:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 8
commands:
- aws sts get-caller-identity
- mkdir ~/.aws/ && touch ~/.aws/config
- echo "[profile buildprofile]" > ~/.aws/config
- echo "role_arn = arn:aws:iam::0000000000:role/RoleToBeAssumed" >> ~/.aws/config
- echo "credential_source = EcsContainer" >> ~/.aws/config
- aws sts get-caller-identity --profile buildprofile
这篇关于在Docker容器内传递AWS CodeBuild IAM角色[无法找到凭证]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!