'How to read SSM parameters when using AWS Codebuild?

I'm currently successfully using codebuild for simple build tasks (in a non-vpc configuration).

But now I'm trying to run a build task that reads an SSM parameter value, and it's failing because it can't load any credentials, the apparent cause being: 

com.amazonaws.auth.InstanceProfileCredentialsProvider@5754b242: Unable to load credentials from service endpoint

The IAM service-role I've allocated to the codebuild project does have ssm:GetParameters permission for the parameter that I'm trying to read (and if that were the problem, I'd expect to see an unauthorized message, rather than unable to load credentials).

I'm using the Java SDK to do the SSM GetParameter call, which I've confirmed does work for reading from SSM parameters when run from an EC2 instance, so I'm pretty sure the problem here is Codebuild.

To further diagnose the issue, I tried adding a build command to do a curl against the AWS instance metadata address:

curl 169.254.169.254/latest/meta-data/iam/info

Instead of returning the instance metadata like it would from a normal EC2 environment, it just times out.

So it seems like the root of the problem is that the codebuild environment doesn't work with the AWS metdata lookup address, which causes the AWS provider chain to not be able to look up credentials.

How can I read my SSM parameters from codebuild (without hardcoding or using environment variables for SDK credentials)?

aws-codebuild


Solution 1:[1]

The answer from MaiKaY is the best solution to the problem of "how to get SSM parameter values into your build" (better for the buildspec to be bound to the name of the SSM parameter rather than code or build scripts).

But in case anyone else stumbles upon this question while dealing with the same issue - the problem was with the underlying code from the initial question, sort of related to the answer from Clare Liguori.

I was using a recent AWS SDK - but I wasn't using it the right way. I was using a simple constructor of the AWSSimpleSystemsManagementClient class, which is rarely the right thing to do.
The better way to construct your client is to use the AWSSimpleSystemsManagementClientBuilder class, like:

AWSSimpleSystemsManagementClientBuilder.standard().build()

Solution 2:[2]

Your AWS Java SDK is likely out of date. The minimum version for retrieving credentials in CodeBuild is 1.11.16. https://docs.aws.amazon.com/codebuild/latest/userguide/troubleshooting.html#troubleshooting-versions

Solution 3:[3]

Adding to MaiKaY answer, make sure the parameter in ssm parameter store is in secureString format and NOT in string. I struggled with this for days and finally added variables by Codebuild console which automatically stores in secureString

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Shorn
Solution 2 Clare Liguori
Solution 3 amol

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function