在CodeBuild Maven作业上使用适当的ECS凭证 [英] Use appropriate ECS credentials on CodeBuild maven job

问题描述

我试图在我的mvn命令中使用CodeBuild服务角色，但是它似乎没有获得适当的IAM权限.我正在使用 s3-wagon-private插件，该插件确实在使用DefaultAWSCredentialsProviderChain的最新版本，其中包括EC2ContainerCredentialsProviderWrapper，因此我认为它应该在CodeBuild容器上使用CodeBuild角色.该角色对我尝试使用s3-wagon-private访问的S3存储库具有适当的权限.

I am trying to use the CodeBuild service role in my mvn command, but it does not seem to be picking up the appropriate IAM permissions. I am using s3-wagon-private plugin which does appear to use a recent version of DefaultAWSCredentialsProviderChain that includes EC2ContainerCredentialsProviderWrapper, so I thought it should use the CodeBuild role on the CodeBuild container. That role has the appropriate permissions to the S3 repo I am trying to access with the s3-wagon-private.

但是，似乎在不使用Clojure项目和project.cloj的情况下，默认情况下它将不使用DefaultAWSCredentialsProviderChain.我看过 Spring AWS Maven 和

But it appears that without using a Clojure project and a project.cloj, then it will not use the DefaultAWSCredentialsProviderChain by default. I have looked at Spring AWS Maven and Maven S3 Wagon but both are using a version of the DefaultAWSCredentialsProviderChain prior to the addition of the ECS credentials (AWS SDK ~1.11.14) and haven't seen much update to them so not overly confident we could get the SDK version updated/tested/released.

有人知道使用S3作为最新版本的DefaultCredentialProviderChain的Maven存储库的简单方法吗?

Does anyone know of a simple means for using S3 as maven repo with a recent version of the DefaultCredentialProviderChain?

推荐答案

在使用AWS容器时(如CodeBuild一样).实例元数据与通常的http://169.254.169.254/latest/meta-data/

When using AWS Containers (Like CodeBuild does). The instance metadata is at a different location to the usual http://169.254.169.254/latest/meta-data/

相反. AWS设置环境变量$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI指向正确的URI以获得元数据.为了担当IAM角色，AWS开发工具包和其他工具都需要执行此操作.

Instead. AWS sets an Environment variable $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI which points to the correct URI to obtain metadata. This is required by the AWS SDK's and other tools in order to assume an IAM Role.

AWS容器上的正确URL是:

The correct URL on an AWS Container is:

http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

当前受支持的AWS开发工具包支持此功能，但较旧的工具可能缺少此功能. AWS实例元数据文档对此进行了解释更多细节.

Currently supported AWS SDK's support this feature, but it may be lacking on older tools. The AWS Instance Metadata documentation explains it it more detail.

这篇关于在CodeBuild Maven作业上使用适当的ECS凭证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！