使用AWS Codebuild时如何读取SSM参数? [英] How to read SSM parameters when using AWS Codebuild?
问题描述
我目前已经成功地将codebuild用于简单的构建任务(在非vpc配置中).
但是现在我试图运行一个读取SSM参数值的构建任务,但由于无法加载任何凭据而失败,显然原因是:
com.amazonaws.auth.InstanceProfileCredentialsProvider@5754b242:无法从服务端点加载凭据 我分配给代码构建项目的IAM服务角色确实具有我要读取的参数的 ssm:GetParameters 权限(如果这是问题所在,我会希望看到一条未经授权的消息,而不是无法加载凭据).
我正在使用Java SDK进行SSM GetParameter调用,我已经确认该操作确实可以在从EC2实例运行时读取SSM参数,因此,我可以肯定这里的问题是Codebuild.
为了进一步诊断问题,我尝试添加构建命令对AWS实例元数据地址执行 curl :
curl 169.254.169.254/latest/meta-data/iam/info 它只是超时,而不是像从普通EC2环境中那样返回实例元数据.
因此,问题的根源似乎似乎是代码构建环境无法与AWS metdata查找地址配合使用,这导致AWS提供程序链无法查找凭证.
如何从代码构建中读取我的SSM参数(不进行硬编码或将环境变量用于SDK凭据)?
我可以问你为什么不使用 AWS CodeBuild 的内置方法吗?您可以通过 AWS CodeBuild 项目的构建规范从 SSM 中获取参数.在这种情况下,将不再通过Java SDK进行额外的调用.
版本:0.2环境:参数存储:核心价值"核心价值"阶段:建造:命令:- 命令- 命令 parameter-store:如果指定了env,并且您要检索存储在Amazon EC2 Systems中的自定义环境变量管理器参数存储.包含键/值标量的映射,其中每个映射代表一个自定义环境变量存储在Amazon EC2 Systems Manager参数存储中.关键是名字您将在以后的构建命令中使用该引用来引用此自定义环境变量,值是自定义环境的名称变量存储在Amazon EC2 Systems Manager参数存储中.
有关更多信息,请查看构建规范参考AWS CodeBuild
I'm currently successfully using codebuild for simple build tasks (in a non-vpc configuration).
But now I'm trying to run a build task that reads an SSM parameter value, and it's failing because it can't load any credentials, the apparent cause being:
com.amazonaws.auth.InstanceProfileCredentialsProvider@5754b242: Unable to load credentials from service endpoint
The IAM service-role I've allocated to the codebuild project does have ssm:GetParameters permission for the parameter that I'm trying to read (and if that were the problem, I'd expect to see an unauthorized message, rather than unable to load credentials).
I'm using the Java SDK to do the SSM GetParameter call, which I've confirmed does work for reading from SSM parameters when run from an EC2 instance, so I'm pretty sure the problem here is Codebuild.
To further diagnose the issue, I tried adding a build command to do a curl against the AWS instance metadata address:
curl 169.254.169.254/latest/meta-data/iam/info
Instead of returning the instance metadata like it would from a normal EC2 environment, it just times out.
So it seems like the root of the problem is that the codebuild environment doesn't work with the AWS metdata lookup address, which causes the AWS provider chain to not be able to look up credentials.
How can I read my SSM parameters from codebuild (without hardcoding or using environment variables for SDK credentials)?
May i ask you why you are not using the built-in approach of AWS CodeBuild? You are able to get parameters out of SSM through the build spec of your AWS CodeBuild project. The additional call through the Java SDK is obsolete in this case.
version: 0.2
env:
parameter-store:
key: "value"
key: "value"
phases:
build:
commands:
- command
- command
parameter-store: Required if env is specified, and you want to retrieve custom environment variables stored in Amazon EC2 Systems Manager Parameter Store. Contains a mapping of key/value scalars, where each mapping represents a single custom environment variable stored in Amazon EC2 Systems Manager Parameter Store. key is the name you will use later in your build commands to refer to this custom environment variable, and value is the name of the custom environment variable stored in Amazon EC2 Systems Manager Parameter Store.
For more informations please check the Build Specification Reference for AWS CodeBuild
这篇关于使用AWS Codebuild时如何读取SSM参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
