Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

credential behavior used by codedeploy-agent differed depending on Amazon Linux version #399

Open
plane11 opened this issue Aug 8, 2024 · 0 comments
Open

credential behavior used by codedeploy-agent differed depending on Amazon Linux version #399

plane11 opened this issue Aug 8, 2024 · 0 comments

Comments

@plane11
Copy link

plane11 commented Aug 8, 2024

Summary

The presence or absence of a IAM credential file on the instance where the CodeDeploy Agent is installed produces different results.

Environment

Common

  • CodeDeploy Agent : OFFICIAL_1.7.0-92_rpm

AMI
(There is no difference in the detailed version. It is the same even if you use the latest version.)

  • AL2 : ami-01fccab91b456acc2 (al2023-ami-2023.5.20240708.0-kernel-6.1-x86_64)
  • AL2023 : ami-0b72821e2f351e396 (amzn2-ami-kernel-5.10-hvm-2.0.20240709.1-x86_64-gp2)

Steps

  1. install codedeploy-agent successfully with Instance Profile, Agent running successfully and Deployment success
  2. stop agent
  3. switch user(sudo su -) and set IAM credential with aws configure with dummy access info for AccessDenied)
  4. start agent

Result

Amazon Linux 2
Agent running successfully with Instance Profile without any Exceptions

2024-07-22T11:22:41 INFO  [codedeploy-agent(3277)]: master 3277: Spawned child 1/1
2024-07-22T11:22:41 DEBUG [codedeploy-agent(3281)]: Registering Plugins: ["codedeploy"].
2024-07-22T11:22:41 DEBUG [codedeploy-agent(3281)]: Loading plugin codedeploy from /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/register_plugin
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: Registered Plugins: #<Set: {InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller}>.
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: On Premises config file does not exist or not readable
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Configuring deploy control client: Region="us-east-1"
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Deploy control endpoint override=
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Enable auth policy = false
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: Creating client url from IMDS region and domain
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Initializing Host Agent: Host Identifier = arn:aws:ec2:us-east-1:482009018293:instance/i-04b2a2497a9fe5409
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Validating CodeDeploy Plugin Configuration
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: Creating client url from IMDS region and domain
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: Creating client url from IMDS region and domain
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: Current deploy control endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: CodeDeploy Plugin Configuration is valid
2024-07-22T11:22:42 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PollHostCommand:
2024-07-22T11:22:42 INFO  [codedeploy-agent(3281)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.7.0-92_rpm.
2024-07-22T11:22:42 INFO  [codedeploy-agent(3277)]: Started master 3277 with 1 children
2024-07-22T11:23:28 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: PollHostCommand: Host Command =  nil
2024-07-22T11:23:29 DEBUG [codedeploy-agent(3281)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PollHostCommand:
2024-07-22T11:23:29 INFO  [codedeploy-agent(3281)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.7.0-92_rpm.

Amazon Linux 2023
Agent has AccessDenied

2024-07-22T10:52:57 INFO  [codedeploy-agent(26949)]: master 26949: Spawned child 1/1
2024-07-22T10:52:57 DEBUG [codedeploy-agent(26951)]: Registering Plugins: ["codedeploy"].
2024-07-22T10:52:57 DEBUG [codedeploy-agent(26951)]: Loading plugin codedeploy from /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/register_plugin
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: Registered Plugins: #<Set: {InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller}>.
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: On Premises config file does not exist or not readable
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Configuring deploy control client: Region="us-east-1"
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Deploy control endpoint override=
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Enable auth policy = false
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: Creating client url from IMDS region and domain
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandExecutor: Archives to retain is: 5}
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Initializing Host Agent: Host Identifier = arn:aws:ec2:us-east-1:482009018293:instance/i-03b839d4f08f2691a
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Validating CodeDeploy Plugin Configuration
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: Creating client url from IMDS region and domain
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: Creating client url from IMDS region and domain
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: CodeDeploy endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: Current deploy control endpoint: https://codedeploy-commands.us-east-1.amazonaws.com
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: CodeDeploy Plugin Configuration is valid
2024-07-22T10:52:58 DEBUG [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Calling PollHostCommand:
2024-07-22T10:52:58 INFO  [codedeploy-agent(26951)]: Version file found in /opt/codedeploy-agent/.version with agent version OFFICIAL_1.7.0-92_rpm.
2024-07-22T10:52:58 ERROR [codedeploy-agent(26951)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Error polling for host commands: Aws::CodeDeployCommand::Errors::AccessDeniedException - Aws::CodeDeployCommand::Errors::AccessDeniedException - /opt/codedeploy-agent/vendor/gems/aws-sdk-core-3.121.1/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call'

Expectation

the way the agent accesses the credentials should be the same, regardless of the difference in the linux version.
According to the document, ~/.aws/credentials has a higher priority than the instance profile. Then, the AccessDenied that occurs in AL2023 is normal behavior, and the fact that no error occurs in AL2 is a malfunction that does not recognize the credentials file in AL2.

Additional found

  • AL2023 : ruby v3 -> sdk v3 gem 'aws-sdk', '~> 3' (document)
  • Amazon Linux 2 : ruby v2 -> sdk v2 gem 'aws-sdk', '~> 2' (document)
  • CodeDeploy Agent OFFICIAL_1.7.0-92_rpm : spec.required_ruby_version = '>= 2.7.0', spec.add_dependency('aws-sdk-core', '~> 3') (document)

Reference

https://docs.aws.amazon.com/sdk-for-ruby/v3/api/
https://docs.aws.amazon.com/sdk-for-ruby/v2/api/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@plane11