0

We have a AWS CodeBuild Project configured with an IAM Role with the required permissions to interact with some AWS services, in this case a DynamoDB table. We are executing a dotnet-script (CSX) file which utilizes the AWS SDKs including the DynamoDB SDK to perform a PutObject operation against a DynamoDB Table.

Typically for apps and services deployed to other AWS compute services like AWS ECS/Fargate or AWS Lambda, our applications are able to just simply instantiate the SDK client(s) for the service(s) and it would follow the standard AWS credential resolution chain and we do not need to provide any explicit hint as to what credentials to be used - and ultimately the associated IAM Service Role would be resolved and utilized for all service calls (for example, var _client = new AmazonDynamoDBClient(); in a AWS Lambda Function handler, would simply utilize the configured IAM Lambda Execution Role for the use of this client).

However, that does not seem to be the case here with executing our dotnet-script/CSX file in our AWS CodeBuild Project; as we are getting a Amazon.Runtime.AmazonServiceException: Unable to find credentials (see full stack trace below with the 4 attempts/places it attempted to resolve access credentials from).

As a sanity check, we also ran a generic aws s3 ls [OurBucketName] command in the CodeBuild buildspec and its successfully listing the objects using the IAM Role configured for this same CodeBuild Project.

We tried to explicitly instantiate the DynamoDB client with the following:

var credentials = new Amazon.Runtime.InstanceProfileAWSCredentials();
_client = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig
{
        RegionEndpoint = RegionEndpoint.USEast1           
});

However, this throws:

Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri)
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext()
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole()
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor()
   at Submission#0.DynamoDBHelper..ctor() in /tmp/codebuild/output/src767/src/s3/01/LoadStepFunctionPayloads.csx:line 39

I am able to execute the CSX file from local (with AWS credentials configured locally in the credentials files) and the script successfully resolves them.

Lastly, we have previously been able to run full .NET application/executables that leverage the AWS SDKs within CodeBuild Project and it seemed to resolve and utilize the associate IAM Service Role for the CodeBuild Project just fine.

Any guidance or pointers with working here would be appreciated!

Amazon.Runtime.AmazonServiceException: Unable to find credentials

Exception 1 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.EnvironmentAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__1()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 2 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__2()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 3 of 4:
System.InvalidOperationException: The environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY were not set with AWS credentials.
   at Amazon.Runtime.EnvironmentVariablesAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__3()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 4 of 4:
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri)
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext()
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole()
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__4()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)


   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials()
   at Amazon.DynamoDBv2.AmazonDynamoDBClient..ctor(AmazonDynamoDBConfig config)
   at Submission#0.DynamoDBHelper..ctor() in /tmp/codebuild/output/src374/src/s3/01/LoadStepFunctionPayloads.csx:line 31
   at Submission#0.<<Initialize>>d__0.MoveNext() in /tmp/codebuild/output/src374/src/s3/01/LoadStepFunctionPayloads.csx:line 81
--- End of stack trace from previous location ---
   at Dotnet.Script.Core.ScriptRunner.Execute[TReturn](String dllPath, IEnumerable`1 commandLineArgs) in C:\Users\runneradmin\AppData\Local\Temp\tmpy4dcdn\Dotnet.Script.Core\ScriptRunner.cs:line 110
Improve this question

1 Answer 1

Reset to default
0

The environmental variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and AWS_SESSION_TOKEN) are not prepopulated at runtime in CodeBuild with the credentials for the associated IAM Role. There is an additional explicit step need to retrieve those temporary credentials via a request to the URI populated in the AWS_CONTAINER_CREDENTIALS_FULL_URI environmental variable and then setting those three variables with pieces of the response.

Happy to confirm that doing exactly this allows the dotnet-script/CSX file to execute successfully, picking up the credential material from the environmental variables.

version: 0.2
phases:
  install:
    runtime-versions:
      dotnet: 8.0
    commands:
      - curl -qL -o aws_credentials.json $AWS_CONTAINER_CREDENTIALS_FULL_URI > aws_credentials.json
      - export AWS_ACCESS_KEY_ID=$(cat aws_credentials.json | jq -r '.AccessKeyId')
      - export AWS_SECRET_ACCESS_KEY=$(cat aws_credentials.json | jq -r '.SecretAccessKey')
      - export AWS_SESSION_TOKEN=$(cat aws_credentials.json | jq -r '.Token')
      - dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.