What credentials does Boto3 use when running in AWS CodeBuild?

Question

So I've written a set of deployment scripts that run in CodeBuild and use Boto3 to deploy some dockerised apps to ECS. The problem I'm having is when I want to deploy to our separate production account.

If I'm running the CodeBuild project from the dev account but want to create resources in the production account, it's my understanding that I should set up a role in the target account, allow the codebuild role to assume it, then call:

sts_client.assume_role( RoleArn=arn_of_a_role_I_set_up, RoleSessionName=some_name )

This returns an access key, secret key, and session token. This works and returns what I'd expect.

Then what I want to do is just assign those values to these environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN

This is because according to the documentation here: http://boto3.readthedocs.io/en/latest/guide/configuration.html Boto3 should defer to if you don't explicitly set those variables in the client or session methods.

However, when I do this the resources still get created in the same dev account.

Also, if I call printenv in the first part of my buildspec.yml before my scripts attempt to set the environment variables, those AWS key/secret/token variables aren't present at all.

So when it's running in CodeBuild, where is Boto3 getting its credentials from? Is the solution just going to be to pass in a key/secret/token to every boto3.client() call to be perfectly sure?

Answer 1

The credentials in the CodeBuild environment are from the service role associated with your CodeBuild project. Boto and botocore will use the "ContainerProvider" automatically to grab those credentials in the CodeBuild environment.