Menu
I have an S3 repository that I want to access in my build process. It contains some of my project's dependencies. My project is deployed to an EC2 instance with a designated role - Repo_dependent. The role has an Access_Repo policy attached to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1484560548000",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
When I deploy the new server I get a The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: 02169BFDCF7AFE10) exception.
My build script is this (abbreviated for simplicity)
buildscript {
repositories {
jcenter()
}
dependencies {
classpath 'com.amazonaws:aws-java-sdk:1.11.83'
}
}
import com.amazonaws.auth.*
repositories {
jcenter()
maven {
url "s3://my_bucket.s3.amazonaws.com"
credentials(AwsCredentials) {
def providercreds = new InstanceProfileCredentialsProvider().getCredentials()
accessKey providercreds.getAWSAccessKeyId()
secretKey providercreds.getAWSSecretKey()
}
}
}
My assumption is that I'm missing something in either how EC2 instances access their roles or something in how roles are defined. When trying to run the same script locally, with a user that has the Access_Repo policy attached to it and instead of using InstanceProfileCredentialsProvider use DefaultAWSCredentialsProviderChain, the build runs fine. However using DefaultAWSCredentialsProviderChain and deploying the instance again resulted in the same exception.
Any help would be very much appreciated.
Testing done using the AWS CLI and using the STSAssumeRoleSessionCredentialsProvider shows the the build script is using the right role with the DefaultAWSCredentialsProviderChain provider. Adding AmazonS3FullAccess policy to the role did not change the result
I'm using Jenkins to deploy the code so my next lead is that maybe something is wrong there
I tried capturing the network traffic to see which credentials are sent to AWS and it seems like different credentials are sent by Gradle and by the AWS CLI so I'm back to my original assumption that Gradle doesn't pull the right role
467
While signed into the portal, choose the AWS Accounts icon to expand the list of accounts. Choose the AWS account from which you want to retrieve access credentials. Then, next to the IAM role name (for example Administrator), choose Command line or programmatic access.
In this example output, the IAM user credentials are stored in the . aws/credentials file. Because these credentials have a higher precedence than role credentials, IAM user credentials are used to make API calls.
The AWS CLIAWS CLIThe AWS Command Line Interface (AWS CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.https://aws.amazon.com › cliAWS Command Line Interface stores sensitive credential information that you specify with aws configure in a local file named credentials , in a folder named .aws in your home directory.
If any one encounters this issue. I fixed it after migrating from Gradle 3.0 to 3.3. This allowed me to use the following code:
buildscript {
repositories {
jcenter()
}
dependencies {
}
}
repositories {
jcenter()
maven {
url "s3://my_bucket.s3.amazonaws.com"
authentication {
awsIm(AwsImAuthentication)
}
}
}
task wrapper(type: Wrapper) {
gradleVersion = '3.3'
}
dependencies {
compile 'com.amazonaws:aws-java-sdk-iam:1.11.78'
compile 'com.amazonaws:aws-java-sdk-ec2:1.11.78'
}
When you are using aws profiles, you'll have to set the AWS_PROFILE environment variable as described in the docs to make this working, cause gradle (or aws-sdk) is either using the environment variable AWS_ACCESS_KEY_ID and AWS_SECREST_ACCESS_KEY or the default profile located at ~/.aws/ if set
export AWS_PROFILE=project-x
./gradlew build
or inline
AWS_PROFILE=project-x ./gradlew build
or as an alias in ~/.bashrc or similar, where you can also add some logic based on a config file
alias gw='AWS_PROFILE=project-x ./gradlew'
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
