Is there a way to grant IAM instance roles to be used by the build process?
In my particular case I need to perform some s3 operations during build (unrelated to archiving artifacts).
So far the only alternative I found is to add an aws key and secret to the environment variables on the aws codebuild configuration page.
It would be more secure to just attach an IAM role to the ec2 instance or container executing the build. Is that currently (2016-12) possible?
CodeBuild uses the CodeBuild service role as the default AWS credential in the build container and Docker runtime. Export the AssumeRole credentials as environment variables. Then, pass these variables into the Docker runtime by using the --build-arg parameter for docker build.
CodeBuild IAM Requirements Typically a CodeBuild project will require access to a limited set of AWS resources including CodeBuild, S3, and Cloudwatch logs. The following IAM permission set will create a role that has these default permissions and will be suitable to reuse in any new CodeBuild projects.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane of the IAM console, choose Roles, and then choose Create role. For Select trusted entity, choose AWS service. Choose the use case for your service.
You can use the AWS CodeBuild console, AWS CLI, or AWS SDK to set up, run, and monitor builds directly with CodeBuild.
You should be able to attach any additional policy permissions to the service role that was created for your build project. CodeBuild uses that policy during build time to execute actions within a build instance.
For example, if you wanted to delete an object from S3 during build, you would need to add the following statement to your service role policy:
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"s3:DeleteObject"
]
}
Note: You may wish to restrict these permissions to specific resources, the example above allows DeleteObject on anything in your account.
If you used the first-run wizard on the CodeBuild console to setup your project, you should already have policies in your service role for s3:GetObject and s3:GetObjectVersion. The service role name when creating via the console is 'codebuild-[project name]-service-role' by default.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With