Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using IAM roles on the AWS CodeBuild worker

Tags:

amazon-web-services

aws-codepipeline

aws-codebuild

Is there a way to grant IAM instance roles to be used by the build process?

In my particular case I need to perform some s3 operations during build (unrelated to archiving artifacts).

So far the only alternative I found is to add an aws key and secret to the environment variables on the aws codebuild configuration page.

It would be more secure to just attach an IAM role to the ec2 instance or container executing the build. Is that currently (2016-12) possible?

like image 628
Daniel Sperry Avatar asked Dec 09 '16 15:12

Daniel Sperry

People also ask

How do you assume a role in CodeBuild?

CodeBuild uses the CodeBuild service role as the default AWS credential in the build container and Docker runtime. Export the AssumeRole credentials as environment variables. Then, pass these variables into the Docker runtime by using the --build-arg parameter for docker build.

What permissions does CodeBuild need?

CodeBuild IAM Requirements Typically a CodeBuild project will require access to a limited set of AWS resources including CodeBuild, S3, and Cloudwatch logs. The following IAM permission set will create a role that has these default permissions and will be suitable to reuse in any new CodeBuild projects.

How can we provide IAM roles with each AWS services?

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane of the IAM console, choose Roles, and then choose Create role. For Select trusted entity, choose AWS service. Choose the use case for your service.

Can I use AWS CLI in CodeBuild?

You can use the AWS CodeBuild console, AWS CLI, or AWS SDK to set up, run, and monitor builds directly with CodeBuild.

1 Answers

You should be able to attach any additional policy permissions to the service role that was created for your build project. CodeBuild uses that policy during build time to execute actions within a build instance.

For example, if you wanted to delete an object from S3 during build, you would need to add the following statement to your service role policy:

{
    "Effect": "Allow",
    "Resource": [
        "*"
    ],
    "Action": [
        "s3:DeleteObject"
    ]
}

Note: You may wish to restrict these permissions to specific resources, the example above allows DeleteObject on anything in your account.

If you used the first-run wizard on the CodeBuild console to setup your project, you should already have policies in your service role for s3:GetObject and s3:GetObjectVersion. The service role name when creating via the console is 'codebuild-[project name]-service-role' by default.

like image 89
Bri Avatar answered Oct 21 '22 11:10

Bri
Sign in to Comment

Related questions

How to autoscale Servers in ECS?
Where do I go to see what my ECS tasks are actually doing when they enter "pending" state?
How do I get the Amazon Cognito hosted UI to prompt for TOTP?
AWS Cognito: Email verification with Link
AWS API Gateway integration with Socket.io
Prevent hotlinking of Amazon S3 files?
How to configure AWS ELB to block certain IP addresses? (known spammers) [closed]
AWS Fargate Cluster Scaling
Scaling with sticky sessions and websockets
How to find out which ECS cluster is associated to an ALB
custom tag on EBS volume provisioned dynamically by Kubernetes
ERROR: Bucket name must match the regex "^[a-zA-Z0-9.\-_]{1,255}$"
boto3 lambda call to run ECS task requires hardcoding in a revision number?
What is best way to create invalidation after cloud formation created cloud front?
StoppedReason in ECS Fargate is truncated
Why does my node app process keep getting stopped when I use forever?
DynamoDB: How to use a query filter to check for conditions in a MAP
AWS Lambda : How to call lambda function from simple java class
How can we use AWS Kinesis in a web browser?
Terraform AWS credentials file not found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!