Skip to content

S3 go getter doesn't work w/ CodeBuild Service Role Creds #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sdmichelini opened this issue Jan 9, 2019 · 4 comments
Open

S3 go getter doesn't work w/ CodeBuild Service Role Creds #152

sdmichelini opened this issue Jan 9, 2019 · 4 comments

Comments

@sdmichelini
Copy link

Issue that was fixed in the aws provider(https://github.com/terraform-providers/terraform-provider-aws/pull/1425/files) does not seem to be fixed here. The issue arises when you true to import a module from s3 while you are running inside CodeBuild.
@sdmichelini sdmichelini changed the title S3 go getter doesn't work in CodeBuild S3 go getter doesn't work w/ CodeBuild Service Role Creds Jan 9, 2019
@m13t
Copy link

m13t commented Apr 8, 2019

I can confirm this also does not work from within an ECS container. It seems the code is explicitly looking for EC2 instance metadata URLs and does not check for AWS_EXECUTION_ENV=AWS_ECS_EC2 environment variables to ascertain whether to get credentials from AWS_CONTAINER_CREDENTIALS_RELATIVE_URI instead.

@jbergknoff-rival jbergknoff-rival mentioned this issue Jul 3, 2019
Closed
@jbergknoff-rival jbergknoff-rival mentioned this issue Oct 14, 2019
Merged
@solarmosaic-kflorence
Copy link

It is terribly confusing that all other places in Terraform work, and this one fails. Took me awhile to figure out what the root issue was. Please prioritize this fix!

Closed
@solarmosaic-kflorence
Copy link

Here is a workaround, in accordance with https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html (it can be sourced within a CodeBuild buildspec, for example in the pre_build phase).

#!/usr/bin/env bash
AWS_ACCESS_KEY_ID=$(curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.AccessKeyId')
AWS_SECRET_ACCESS_KEY=$(curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.SecretAccessKey')
AWS_SESSION_TOKEN=$(curl --silent http://169.254.170.2:80$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | jq -r '.Token')
export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN

Here is the corresponding ticket in terraform: hashicorp/terraform#20439

@solarmosaic-kflorence
Copy link

@azr I believe this has been resolved by #218

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@m13t @sdmichelini @solarmosaic-kflorence