13

Is there a way to grant IAM instance roles to be used by the build process?

In my particular case I need to perform some s3 operations during build (unrelated to archiving artifacts).

So far the only alternative I found is to add an aws key and secret to the environment variables on the aws codebuild configuration page.

It would be more secure to just attach an IAM role to the ec2 instance or container executing the build. Is that currently (2016-12) possible?

Daniel Sperry
  • 4,091
  • 3
  • 29
  • 40

1 Answers1

10

You should be able to attach any additional policy permissions to the service role that was created for your build project. CodeBuild uses that policy during build time to execute actions within a build instance.

For example, if you wanted to delete an object from S3 during build, you would need to add the following statement to your service role policy:

{
    "Effect": "Allow",
    "Resource": [
        "*"
    ],
    "Action": [
        "s3:DeleteObject"
    ]
}

Note: You may wish to restrict these permissions to specific resources, the example above allows DeleteObject on anything in your account.

If you used the first-run wizard on the CodeBuild console to setup your project, you should already have policies in your service role for s3:GetObject and s3:GetObjectVersion. The service role name when creating via the console is 'codebuild-[project name]-service-role' by default.

Bri
  • 201
  • 2
  • 3
  • I thought service roles only affected the service, not the build container. I'll try this again adding a s3 command line to the buildspec.yml. Perhaps my s3 client wasn't able to use the container identity provider. – Daniel Sperry Dec 09 '16 at 20:13
  • I wasn't seening the roles working because the maven library I was using to access s3 didn't work with container credentials. All good now. – Daniel Sperry Dec 12 '16 at 19:44
  • @DanielSperry wasn't sure what your exact solution was, but I may have had a similar problem and I posted a workaround solution here http://stackoverflow.com/questions/42794486/use-appropriate-ecs-credentials-on-codebuild-maven-job/42799591#42799591 – Neil Mar 15 '17 at 01:28
  • @Neil I used the https://github.com/s3-wagon-private/s3-wagon-private and modified the CodeBuild role to grant it the write permissions to the s3 bucket. – Daniel Sperry Mar 16 '17 at 05:57