Bypass AWS_ACCESS_KEY* check


I’m automating my image build process using AWS CodeBuild and AWS CodePipeline, FYI the build host is a Docker container as described below:

environment {
    compute_type                = "BUILD_GENERAL1_SMALL"
    image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
    type                        = "LINUX_CONTAINER"
    image_pull_credentials_type = "CODEBUILD"

But I’m getting this error:

EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment

[Container] 2023/12/09 09:28:58.032338 Command did not exit successfully $HOME/.ops/bin/ops image create app --show-debug --show-errors --show-warnings --target-cloud aws --zone $AWS_DEFAULT_REGION --arch=arm64 --args app --disable-args-copy -e ENVIRONMENT=$ENVIRONMENT -e PORT=$PORT -e GIN_MODE=$GIN_MODE --imagename $IMAGE_NAME --nanos-version $NANOS_VERSION --config config.json exit status 1

Since everything runs within AWS cloud there is no need to use the mentioned environment variables nor pass them as secrets because permissions to create snapshots/amis can be granted to the build host via an IAM policy which is attached to the IAM role assumed by the instance profile.

So, is possible to bypass this check? if not I would kindly request this feature to be added, note that managing permissions/access via IAM policies rather than env vars or secrets is the best practice within the AWS cloud.

Thanks and regards,
Ernesto Medina.

The vast majority of people today build outside of AWS so I think we want to keep the checks in place.

Also just cause you have an IAM role doesn’t mean you don’t generate temporary credentials tied to that role. I haven’t used codebuild or codepipeline but this looks like one method that might help you:

Pass credentials for AssumeRole into Docker with CodeBuild | AWS re:Post using

aws sts assume-role

1 Like

Indeed the http request needs to be signed anyway, temporary credentials based on the assumed role is a good solution, thanks for sharing the link.
We can close this topic.