How can codeBuild container run aws-cli commands without prior authentication?

2
votes

Say I use aws-cli locally on my machine, I´d need to authenticate with credentials prior to any operation.

How do AWS services give permission to other services on my behalf? And more specifically, how does a container run aws-cli on my behalf without prior authentication?

I am asking this, after running my first pipeline successfully in codePipeline. My buildspec.yml does run aws s3 sync command flawlessly -which made me then wonder how do aws internally permissions work-.

1
amazon-web-servicescontainersaws-codepipelineaws-codebuild

1 Answers

2
votes

AWS CodeBuild uses an IAM Service Role to provide AWS permissions to the CodeBuild environment. You should have had to create a service role for your CodeBuild configuration.

When the AWS cli tool runs, and it hasn't been previously configured with API access keys, it will check if it is running in an AWS environment like EC2 or Lambda and if so, it will use the AWS IAM role assigned to that runtime environment.