Join Log in
Score:0
DrTeeth avatar Server

Accessing EC2 metadata service from CodeBuild instance

vn flag
DrTeeth

I'm running a docker container from within AWS CodeBuild inside my VPC. On the host, I have no problem running aws sts get-caller-identity with no credentials. E.g.:

aws sts get-caller-identity
{
    "UserId": "[redacted]",
    "Account": "[redacted]",
    "Arn": "arn:aws:sts::[redacted]:assumed-role/[redacted]"
}

Inside the docker container however, I get an error trying to get my identity:

% aws sts get-caller-identity
Couldn't reach EC2 metadata service.

Unable to locate credentials. You can configure credentials by running "aws configure".

I assume this is because I can't reach the EC2 metadata service to obtain the role keys, but I thought that should "just work" since the container should have access to the same network as the host.

So I backed out and took another look at the host - it looks like I can't access the metadata service on http://169.254.169.254:

# curl -kv http://169.254.169.254/latest/meta-data/public-hostname
*   Trying 169.254.169.254:80...
* TCP_NODELAY set
* Immediate connect fail for 169.254.169.254: Invalid argument
* Closing connection 0
curl: (7) Couldn't connect to server

How is aws sts working on the host? I thought the AWS CLI needed access to that metadata service if credentials weren't supplied. How can I get it working inside the container (I don't want to pass long lived tokens around in environment variables)?

(edited with additional detail found from exploring directly on SessionManager in the CodeBuild instance)

262
0 + 0
Tim avatar
gp flag
Tim
CodeBuild builds in containers, not on EC2, though I guess ultimately the containers are on EC2. I guess there's no way to get the instance metadata. Same thing happens on RDS / Oracle, you can't access the instance role. One workaround is to pass in credentials in a parameter.
1
Reply
DrTeeth avatar
vn flag
DrTeeth
Problem there is I actually would need credentials - including managing them, rotating them, passing them around as env vars, etc. The point of instance roles is that I can just say "This CodeBuild project should have these permissions" and I'm done. And this works on the CodeBuild instance, just not inside the docker container spawned on that instance - and I'm not sure how that is - doesn't seem to follow how the AWS CLI is documented. If that is how it is though, how can I get the credentials from the role to pass them to the container?
0
Reply
Score:2
DrTeeth avatar Server
vn flag
DrTeeth

Best I've found for this so far...

Thanks for the comment from @Tim, CodeBuild runs on ECS. When it does that, it pulls credentials from container credentials. Those are apparently pulled from a different IP address, which can be accessed via

169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

You can extract the role credentials from that call and then pass them into the Docker container.

0 + 0
Tim avatar
gp flag
Tim
Interesting. I wonder if RDS is similar. If it did that could've said us a LOT of time.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.