Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use CodeBuild to run AWS CLI commands across accounts?

3 minute read
0

I want use AWS CodeBuild to run AWS Command Line Interface (AWS CLI) commands across AWS accounts.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

The following resolution configures a CodeBuild project in account A to run AWS CLI commands in Account B.

Prerequisite: Create a Build project in account A.

Create an IAM role in account B to perform the AWS CLI commands

Complete the following steps:

  1. In account B, open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. Choose AWS account role type.
  4. In the An AWS account section, choose Another AWS account.
  5. For Account ID, enter the account ID of the account A.
  6. Choose Next.
  7. Select the policy with permissions to run AWS CLI commands in account B.
  8. Choose Next.
  9. In the Role name field, enter a name for the role.
  10. Choose Create role.
  11. Note the IAM role's Amazon Resource Number (ARN).

Attach an IAM policy to the CodeBuild service role to assume the role

Complete the following steps:

  1. In account A, open the CodeBuild console.
  2. In the navigation pane, choose Build projects.
  3. Select the build project that performs the cross-account actions.
  4. In the CodeBuild project, choose the Project details tab.
  5. In the Environment section, select the Service role ARN.
  6. In the new IAM console window, choose Add Permissions, and then choose Add inline policy.
  7. Enter the following policy in the JSON tab: 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowCrossAccountAccess",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "ACCOUNT_B_ROLE_ARN"
            }
        ]
    }
    Note: Replace ACCOUNT_B_ROLE_ARN with the IAM role's ARN.
  8. Choose Next.
  9. In the Policy name field, enter a name for the policy.
  10. Choose Create policy.

Modify the CodeBuild project buildspec

If the buildspec file is in the CodeBuild project, then complete the following steps:

  1. Open the CodeBuild console.
  2. In the navigation pane, choose Build projects.
  3. Select your build project, and then choose Edit.
  4. In the Buildspec section, add the assume-role AWS CLI command and cross-account commands in the following order: 
    - CREDS=$(aws sts assume-role \
  --role-arn $ACCOUNT_B_ROLE_ARN \
  --role-session-name "session")

- export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')
    Note: Replace ACCOUNT_B_ROLE_ARN with the IAM role's ARN. If the buildspec file is in your source code, then add the assume-role AWS CLI command before cross-account commands in the buildspec file. 
  5. Choose Update Project.

To run an AWS CLI command in account B, run the CLI command after the assume-role and export commands.

To revert to your previous CodeBuild service role permissions, run the following unset commands:

- unset AWS_ACCESS_KEY_ID
- unset AWS_SECRET_ACCESS_KEY
- unset AWS_SESSION_TOKEN
Topics
Developer Tools
Tags
AWS CodeBuild
Language
English
AWS OFFICIALUpdated a month ago
No comments

Relevant content