0 votes
1 view
in AWS by (17.6k points)

I have an S3 repository that I want to access in my build process. It contains some of my project's dependencies. My project is deployed to an EC2 instance with a designated role - Repo_dependent. The role has an Access_Repo policy attached to it:

{

"Version": "2012-10-17",

"Statement": [

    {

        "Sid": "Stmt1484560548000",

        "Effect": "Allow",

        "Action": [

            "s3:GetObject",

            "s3:ListBucket",

            "s3:GetBucketLocation"

        ],

        "Resource": [

            "arn:aws:s3:::my_bucket",

            "arn:aws:s3:::my_bucket/*"

        ]

    }

  ]

}

When I deploy the new server I get a The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: 02169BFDCF7AFE10) exception.

My build script is this (abbreviated for simplicity)

buildscript {

  repositories {

    jcenter()

  }

  dependencies {

    classpath 'com.amazonaws:aws-java-sdk:1.11.83'

  }

}

import com.amazonaws.auth.*

repositories {

  jcenter()

  maven {

    url "s3://my_bucket.s3.amazonaws.com"

    credentials(AwsCredentials) {

        def providercreds = new InstanceProfileCredentialsProvider().getCredentials()

        accessKey providercreds.getAWSAccessKeyId()

        secretKey providercreds.getAWSSecretKey()

    }

  }

}

My assumption is that I'm missing something in either how EC2 instances access their roles or something in how roles are defined. When trying to run the same script locally, with a user that has the Access_Repo policy attached to it and instead of using InstanceProfileCredentialsProvider use DefaultAWSCredentialsProviderChain, the build runs fine. However, using DefaultAWSCredentialsProviderChain and deploying the instance again resulted in the same exception.

Any help would be very much appreciated.

1 Answer

0 votes
by (41.4k points)

After upgrading from Gradle 3.0 to 3.3, I was able to fix it using this code:

buildscript {

  repositories {

    jcenter()

  }

  dependencies {

  }

}

repositories {

  jcenter()

  maven {

    url "s3://my_bucket.s3.amazonaws.com"

    authentication {

        awsIm(AwsImAuthentication)

    }

  }

}

task wrapper(type: Wrapper) {

  gradleVersion = '3.3'

}

dependencies {

    compile 'com.amazonaws:aws-java-sdk-iam:1.11.78'

    compile 'com.amazonaws:aws-java-sdk-ec2:1.11.78'

}

...