AWS CodeBuild Operations: Difference between revisions
| Line 112: | Line 112: | ||
Add ecr:GetAuthorizationToken for the user in question to the build role. These are extremely lax permissions, it could be further tightened up: | Add ecr:GetAuthorizationToken for the user in question to the build role. These are extremely lax permissions, it could be further tightened up: | ||
<syntaxhighlight lang=' | <syntaxhighlight lang='javascript'> | ||
{ | { | ||
... | ... | ||
Revision as of 05:35, 15 February 2019
Internal
Create a Build Project
Project configuration
Select Build badge.
Source
Source provider: GitHub
Repository in my GitHub account.
Additional configuration
Git clone depth: 1
Primary source webhook events
Webhook - Rebuild every time a code change is pushed to this repository. Enable and experiment with that.
Environment
Environment image: Managed image
Operating system: Ubuntu
Runtime: Java
Runtime version: aws/codebuild/java:openjdk-8
The Java runtime may have an obsolete Gradle version. If that is the case, initialize your project with gradlew and configure the buildspec file to use ./gradlew to build the project.
Privileged: Enable this flag if you want to build Docker images or want your builds to get elevated privileges
Service role:
For the implications on the build process of correctly configuring the service role, see:
Allow AWS CodeBuild to modify this service role so it can be used with this build project. If selected, the console configuration code updates the role so it contains the appropriate policies.
If you get:
The policy's default version was not created by enhanced zero click role creation or was not the most recent version created by enhanced zero click role creation.
unselect "Allow AWS CodeBuild to modify ..."
Environment variables:
For more details see:
No user environment variables can start with CODEBUILD_
Name: CODEBUILD_SOURCE_VERSION, Value: "unity" (for GitHub, this is the branch name to be uses)
For personal account:
- Name: AWS_ACCESS_KEY Value: ...
- Name: SK Value: TBD
For shared build account:
- Name: AWS_ACCESS_KEY_ID
- Name: AWS_SECRET_ACCESS_KEY
Additional Configuration
Timeout: 20 minutes.
Buildspec
Use a buildspec file.
Specify name of the file, if not buildspec.yml,
Artifacts
Logs
CloudWatch
Select CloudWatch logs.
Group Name: /playground
Stream Name: ops-unity-build
You must enable CloudWatch logging if you want any kind of build logs, including the "console" log.
Run a Build Project
Run Build
Source version: unity
Environment variables override:
SK:
Start Build
Troubleshooting
Generic troubleshooting advice:
ECR AccessDeniedException
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::673499572719:user/codebuild-p2 is not authorized to perform: ecr:GetAuthorizationToken on resource: *
Add ecr:GetAuthorizationToken for the user in question to the build role. These are extremely lax permissions, it could be further tightened up:
{
...
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}