如何在 ~/.aws/config 中生成 AWS 配置文件以用于 CodeBuild 项目
How to generate an AWS profile in `~/.aws/config` for use in a CodeBuild Project
我正在使用一个名为 dbt 的工具,该工具的数据库身份验证方法使用 IAM。遗憾的是,在构建 CodeBuild 项目时 IAM 配置文件不存在,因为它使用实例配置文件。因此,我无法连接到我的数据库。
引用this question,我在项目中尝试了运行aws sts get-caller-identity,看能否得到一些我需要返回的值,但是返回
botocore.exceptions.ProfileNotFound: The config profile (***) could not be found
有人知道如何在 CodeBuild 项目中生成我自己的 ~/.aws/config 吗?
编辑:该工具在此处使用 boto3 生成临时凭证:https://github.com/fishtown-analytics/dbt/blob/9d00c000720d17c42a4fa08a26b75bd500cc857f/plugins/redshift/dbt/adapters/redshift/connections.py#L101-L123
但它似乎无法在 CodeBuild 项目中生成这些凭据。
编辑:
buildspec.yml
version: 0.2
env:
variables:
MODELS_REPO: dbt-dev
PYTHON_VERSION: 3.8
parameter-store:
AWS_ENVIRONMENT: "/cloudformation/environment"
AWS_PROFILE: "/cloudformation/environment"
CODEARTIFACT_COMPANY: "/codeartifact/company"
GITHUB_OWNER: "/github/owner"
GITHUB_PERSONAL_ACCESS_TOKEN: "/secret/github/token"
GITHUB_USER: "/github/user"
phases:
install:
runtime-versions:
python: "${PYTHON_VERSION}"
commands:
- pip install -r projects/${PROJECT_NAME}/requirements.txt
- ./projects/${PROJECT_NAME}/.aws/phases/install.sh
pre_build:
commands:
- ./projects/${PROJECT_NAME}/.aws/phases/pre_build.sh
build:
commands:
- ./projects/${PROJECT_NAME}/.aws/phases/build.sh
post_build:
commands:
- ./projects/${PROJECT_NAME}/.aws/phases/post_build.sh
cache:
paths:
- /root/.cache/pip
- /root/.cache/pip/**/*
- ~/.cache/pip
- ~/.cache/pip/**/*
以下脚本应该适用于您的 use-case:
apt install jq -y
creds=$(aws sts get-session-token)
AWS_ACCESS_KEY_ID=$(echo $creds | jq '.Credentials.AccessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo $creds | jq '.Credentials.SecretAccessKey')
AWS_SESSION_TOKEN=$(echo $creds | jq '.Credentials.SessionToken')
aws configure --profile $AWS_PROFILE set region "us-east-1"
aws configure --profile $AWS_PROFILE set output "json"
aws configure --profile $AWS_PROFILE set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
aws configure --profile $AWS_PROFILE set aws_access_key_id "$AWS_ACCESS_KEY_ID"
aws configure --profile $AWS_PROFILE set aws_session_token "$AWS_SESSION_TOKEN"
您可以根据需要更改区域。
我正在使用一个名为 dbt 的工具,该工具的数据库身份验证方法使用 IAM。遗憾的是,在构建 CodeBuild 项目时 IAM 配置文件不存在,因为它使用实例配置文件。因此,我无法连接到我的数据库。
引用this question,我在项目中尝试了运行aws sts get-caller-identity,看能否得到一些我需要返回的值,但是返回
botocore.exceptions.ProfileNotFound: The config profile (***) could not be found
有人知道如何在 CodeBuild 项目中生成我自己的 ~/.aws/config 吗?
编辑:该工具在此处使用 boto3 生成临时凭证:https://github.com/fishtown-analytics/dbt/blob/9d00c000720d17c42a4fa08a26b75bd500cc857f/plugins/redshift/dbt/adapters/redshift/connections.py#L101-L123
但它似乎无法在 CodeBuild 项目中生成这些凭据。
编辑:
buildspec.yml
version: 0.2
env:
variables:
MODELS_REPO: dbt-dev
PYTHON_VERSION: 3.8
parameter-store:
AWS_ENVIRONMENT: "/cloudformation/environment"
AWS_PROFILE: "/cloudformation/environment"
CODEARTIFACT_COMPANY: "/codeartifact/company"
GITHUB_OWNER: "/github/owner"
GITHUB_PERSONAL_ACCESS_TOKEN: "/secret/github/token"
GITHUB_USER: "/github/user"
phases:
install:
runtime-versions:
python: "${PYTHON_VERSION}"
commands:
- pip install -r projects/${PROJECT_NAME}/requirements.txt
- ./projects/${PROJECT_NAME}/.aws/phases/install.sh
pre_build:
commands:
- ./projects/${PROJECT_NAME}/.aws/phases/pre_build.sh
build:
commands:
- ./projects/${PROJECT_NAME}/.aws/phases/build.sh
post_build:
commands:
- ./projects/${PROJECT_NAME}/.aws/phases/post_build.sh
cache:
paths:
- /root/.cache/pip
- /root/.cache/pip/**/*
- ~/.cache/pip
- ~/.cache/pip/**/*
以下脚本应该适用于您的 use-case:
apt install jq -y
creds=$(aws sts get-session-token)
AWS_ACCESS_KEY_ID=$(echo $creds | jq '.Credentials.AccessKeyId')
AWS_SECRET_ACCESS_KEY=$(echo $creds | jq '.Credentials.SecretAccessKey')
AWS_SESSION_TOKEN=$(echo $creds | jq '.Credentials.SessionToken')
aws configure --profile $AWS_PROFILE set region "us-east-1"
aws configure --profile $AWS_PROFILE set output "json"
aws configure --profile $AWS_PROFILE set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
aws configure --profile $AWS_PROFILE set aws_access_key_id "$AWS_ACCESS_KEY_ID"
aws configure --profile $AWS_PROFILE set aws_session_token "$AWS_SESSION_TOKEN"
您可以根据需要更改区域。