.NET / dotnet script (CSX) execution in AWS CodeBuild not resolving IAM Role for SDK

[skirk-mpr]

I've submitted an AWS Support ticket to the CodeBuild service but thinking this is more likely a .NET SDK Team question potentially.

We have a AWS CodeBuild Project configured with an IAM Role with the required permissions to interact with some AWS services, in this case a DynamoDB table. We are executing a dotnet-script (CSX) file which utilizes the AWS SDKs including the DynamoDB SDK to perform a PutObject operation against a DynamoDB Table.

Typically for apps and services deployed to other AWS compute services like AWS ECS/Fargate or AWS Lambda, our applications are able to just simply instantiate the SDK client(s) for the service(s) and it would follow the standard AWS credential resolution chain and we do not need to provide any explicit hint as to what credentials to be used - and ultimately the associated IAM Service Role would be resolved and utilized for all service calls (for example, var _client = new AmazonDynamoDBClient(); in a AWS Lambda Function handler, would simply utilize the configured IAM Lambda Execution Role for the use of this client).

However, that does not seem to be the case here with executing our dotnet-script/CSX file in our AWS CodeBuild Project; as we are getting a Amazon.Runtime.AmazonServiceException: Unable to find credentials (see full stack trace below with the 4 attempts/places it attempted to resolve access credentials from).

As a sanity check, we also ran a generic aws s3 ls [OurBucketName] command in the CodeBuild buildspec and its successfully listing the objects using the IAM Role configured for this same CodeBuild Project.

We tried to explicitly instantiate the DynamoDB client with the following:

var credentials = new Amazon.Runtime.InstanceProfileAWSCredentials();
_client = new AmazonDynamoDBClient(credentials, new AmazonDynamoDBConfig
{
        RegionEndpoint = RegionEndpoint.USEast1           
});

However, this throws:

Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri)
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext()
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole()
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor()
   at Submission#0.DynamoDBHelper..ctor() in /tmp/codebuild/output/src767/src/s3/01/LoadStepFunctionPayloads.csx:line 39

I am able to execute the CSX file from local (with AWS credentials configured locally in the credentials files) and the script successfully resolves them.

Lastly, we have previously been able to run full .NET application/executables that leverage the AWS SDKs within CodeBuild Project and it seemed to resolve and utilize the associate IAM Service Role for the CodeBuild Project just fine.

Any guidance or pointers with working here would be appreciated!

Amazon.Runtime.AmazonServiceException: Unable to find credentials

Exception 1 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.EnvironmentAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__1()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 2 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__2()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 3 of 4:
System.InvalidOperationException: The environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY were not set with AWS credentials.
   at Amazon.Runtime.EnvironmentVariablesAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__3()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 4 of 4:
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri)
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext()
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole()
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__4()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)


   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials()
   at Amazon.DynamoDBv2.AmazonDynamoDBClient..ctor(AmazonDynamoDBConfig config)
   at Submission#0.DynamoDBHelper..ctor() in /tmp/codebuild/output/src374/src/s3/01/LoadStepFunctionPayloads.csx:line 31
   at Submission#0.<<Initialize>>d__0.MoveNext() in /tmp/codebuild/output/src374/src/s3/01/LoadStepFunctionPayloads.csx:line 81
--- End of stack trace from previous location ---
   at Dotnet.Script.Core.ScriptRunner.Execute[TReturn](String dllPath, IEnu

[dscpinheiro]

Do you see the error even when not using the InstanceProfileAWSCredentials? (That credential provider tries to fetch credentials from the IMDS server, which I don't believe will work when running on a CodeBuild instance)

If you don't specify credentials when creating the client (e.g. new AmazonDynamoDBClient(RegionEndpoint.USEast1)) the SDK should pick up the IAM role associated with your CodeBuild project (just as it does on Lambda / ECS - and the same behavior as the CLI).

[skirk-mpr]

Yeah, that was my exact expecation as well. When I perform the client intialization with just the region parameter, I get exception with the 4 attempts to resolve the credentials via the credentials resolution change.

[dscpinheiro]

I have never used dotnet script but does it create an isolated environment inside the CodeBuild job? That's the one thing I can think of (since the environment wouldn't have access to the CodeBuild environment the SDK is trying to fetch credentials from).

[skirk-mpr]

So I can run the same exact dotnet script/csx file from my local machine, with just my .aws/credential file populated with fresh credentials and they get picked up as expected. My expectation is that their would be parity when running it in CodeBuild. Ill take a closer look if theres any difference between the version of dotnet script I have installed locally and the latest version getting installed at runtime in CodeBuild. I do appreciate your time thinking through this with me!

[skirk-mpr]

Confirmed that the version (1.6.0) of dotnet script I have installed locally, is the same that is installed in CodeBuild where this is not working

From CodeBuild execution logs:
Tool 'dotnet-script' (version '1.6.0') was restored. Available commands: dotnet-script

From local:

$ dotnet script --version
1.6.0

The CSX script file being executed - which I've confirmed executes successfully

#r "nuget: AWSSDK.Core"
#r "nuget: AWSSDK.DynamoDBv2"
#r "nuget: AWSSDK.SecurityToken"
#r "nuget: System.Configuration.ConfigurationManager"

using Amazon;
using Amazon.DynamoDBv2;
using Amazon.DynamoDBv2.DocumentModel;

using System;
using System.IO;
using System.Text.Json;
using System.Threading.Tasks;

public class DynamoDBHelper
{
    private readonly AmazonDynamoDBClient _client;
    private readonly RegionEndpoint _region = RegionEndpoint.USEast1;
    private readonly string _tableName;

    public DynamoDBHelper(string environment)
    {
        _tableName = $"xxx-xxxx-{environment}-xxxx-xxxxx";
        _client = new AmazonDynamoDBClient(_region);
    }

    public async Task PutItemsAsync(string indexFilePath)
    {
        var index = JsonSerializer.Deserialize<List<string>>(File.ReadAllText(indexFilePath));
        Console.WriteLine($"Loading payloads to table: [{_tableName}]");
        foreach (var file in index)
        {
            try
            {
                var document = Document.FromJson(File.ReadAllText(file));
                var table = Table.LoadTable(_client, _tableName);
                await table.PutItemAsync(document);
                Console.WriteLine($"\t - Successfully loaded payload file: [{file}]");
            }
            catch (Exception ex)
            {
                Console.Error.WriteLine($"Error: {ex.Message}");
                Environment.Exit(1);
            }
        }
    }
}

var args = Args.ToArray();
if (args.Length < 2)
{
    Console.Error.WriteLine("Error: Missing arguments.");
    Console.Error.WriteLine("Usage: dotnet script LoadStepFunctionPayloads.csx <environment> <path/to/yourfile.json>");
    Environment.Exit(1);
    return;
}

var helper = new DynamoDBHelper(args[0]);
await helper.PutItemsAsync(args[1]);

CodeBuild buildspec file:

version: 0.2
phases:
  install:
    on-failure: ABORT
    runtime-versions:
      dotnet: 8.0
    commands:
      - dotnet tool restore
      - export PATH="$PATH:/root/.dotnet/tools"
  build:
    on-failure: ABORT
    commands:
      - ls -R
      - aws s3 ls $PIPELINE_ARTIFACT_BUCKET      
      - dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json

CodeBuild logs when attempting to run script:

[Container] 2025/03/29 13:56:19.978623 Running command dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json
warn: Dotnet.Script.Core.Commands.ExecuteScriptCommand[0]
      The script /tmp/codebuild/output/src3788/src/s3/01/LoadStepFunctionPayloads.csx is not cacheable. For caching and optimal performance, ensure that the script only contains NuGet references with pinned/exact versions.
warn: Dotnet.Script.DependencyModel.Context.CachedRestorer[0]
      Unable to cache /tmp/.cache/dotnet-script/tmp/codebuild/output/src3788/src/s3/01/net8.0/script.csproj. For caching and optimal performance, ensure that the script(s) references Nuget packages with a pinned version.
Amazon.Runtime.AmazonServiceException: Unable to find credentials

Exception 1 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.EnvironmentAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__1()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 2 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__2()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 3 of 4:
System.InvalidOperationException: The environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY were not set with AWS credentials.
   at Amazon.Runtime.EnvironmentVariablesAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__3()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 4 of 4:
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri)
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext()
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole()
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__4()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)


   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials()
   at Amazon.DynamoDBv2.AmazonDynamoDBClient..ctor(RegionEndpoint region)
   at Submission#0.DynamoDBHelper..ctor(String environment) in /tmp/codebuild/output/src3788/src/s3/01/LoadStepFunctionPayloads.csx:line 24
   at Submission#0.<<Initialize>>d__0.MoveNext() in /tmp/codebuild/output/src3788/src/s3/01/LoadStepFunctionPayloads.csx:line 58
--- End of stack trace from previous location ---
   at Dotnet.Script.Core.ScriptRunner.Execute[TReturn](String dllPath, IEnumerable`1 commandLineArgs) in C:\Users\runneradmin\AppData\Local\Temp\tmpy4dcdn\Dotnet.Script.Core\ScriptRunner.cs:line 110

[Container] 2025/03/29 13:56:28.006579 Command failed with exit status 1

So reconfirmed the CSX file runs successfully with just my .aws/credential populated from local.

Interestingly if I comment out these two imports:

#r "nuget: AWSSDK.SecurityToken"
#r "nuget: System.Configuration.ConfigurationManager"

(which were added when attempting to debug this issue with an LLM) and I try and run locally, I get a similar error as in CodeBuild:

Amazon.Runtime.AmazonServiceException: Unable to find credentials

Exception 1 of 4:
System.IO.FileNotFoundException: Could not load file or assembly 'System.Configuration.ConfigurationManager, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. The system cannot find the file specified.
File name: 'System.Configuration.ConfigurationManager, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'
   at Amazon.Runtime.EnvironmentAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__1() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1107 
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1132

Exception 2 of 4:
System.TypeInitializationException: The type initializer for 'Amazon.AWSConfigs' threw an exception.
 ---> System.IO.FileNotFoundException: Could not load file or assembly 'System.Configuration.ConfigurationManager, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. The system cannot find the file specified.
File name: 'System.Configuration.ConfigurationManager, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'
   at Amazon.AWSConfigs.GetConfig(String name)
   at Amazon.AWSConfigs..cctor() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\AWSConfigs.cs:line 76
   --- End of inner exception stack trace ---
   at Amazon.AWSConfigs.get_AWSProfileName() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\AWSConfigs.cs:line 178
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 278       
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__2() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1108 
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1132

Exception 3 of 4:
System.InvalidOperationException: The environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY were not set with AWS credentials.
   at Amazon.Runtime.EnvironmentVariablesAWSCredentials..ctor() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 559
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__3() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1109 
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1132

Exception 4 of 4:
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1025
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 904
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1032
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 890     
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__4() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1111 
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1132


   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1163
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials() in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Core\Amazon.Runtime\AWSCredentials.cs:line 1118
   at Amazon.DynamoDBv2.AmazonDynamoDBClient..ctor(RegionEndpoint region) in d:\Jenkins\jobs\v3-release-build\workspace\AWSDotNetPublic\sdk\src\Services\DynamoDBv2\Generated\_bcl45\AmazonDynamoDBClient.cs:line 222
   at Submission#0.DynamoDBHelper..ctor(String environment) in C:\_Repos\SPARS\SPARS.DataWarehouse.ETL\payloads\LoadStepFunctionPayloads.csx:line 24
   at Submission#0.<<Initialize>>d__0.MoveNext() in C:\_Repos\SPARS\SPARS.DataWarehouse.ETL\payloads\LoadStepFunctionPayloads.csx:line 58
--- End of stack trace from previous location ---
   at Dotnet.Script.Core.ScriptRunner.Execute[TReturn](String dllPath, IEnumerable`1 commandLineArgs) in C:\Users\runneradmin\AppData\Local\Temp\tmpy4dcdn\Dotnet.Script.Core\ScriptRunner.cs:line 110

Thanks again for your time and thoughts on this!

[skirk-mpr]

cross posted this on the dotnet-script repo to see if they can provide any sort of guidance: dotnet-script/dotnet-script#774

[normj]

In a CodeBuild environment the service does the work of resolving AWS credentials based on the IAM role assigned he role and then sets environment variables like AWS_ACCESS_KEY_ID that the SDK will pick up and use those credentials. This is similar to Lambda but different then EC2 where there is a metadata service that the InstanceProfileAWSCredentials is used to fetch credentials. So in CodeBuild InstanceProfileAWSCredentials is not what you should be using. The SDK's default search for credentials should resolve to using EnvironmentVariablesAWSCredentials to get the environment variable credentials.

I don't have any experience with csx scripting but what I would look into is something causing the environment variables to disappear/remove when calling into the scripting runtime.

[skirk-mpr]

Thanks so much (as always!) @normj for your insight!

I went in an added echo $AWS_ACCESS_KEY_ID to my buildspec file before calling the CSX file but nothing gets output. For some additional context, I'm using the Lambda compute option for CodeBuild - so I'm not sure if detail has any effect on this. Thanks again!

[skirk-mpr]

I created another CSX file (see snippet below) and ran it locally and in CodeBuild - in both cases I got (the expected) output. So it seems like when running the CSX file with dotnet script both locally (Windows) and in CodeBuild, the environmental variables for the environment are available to the script.

IDictionary environmentVariables = Environment.GetEnvironmentVariables();
var sortedKeys = new List<string>();
foreach (DictionaryEntry entry in environmentVariables)
{
    sortedKeys.Add((string)entry.Key);
}
sortedKeys.Sort();

foreach (string key in sortedKeys)
{
    string value = (string)environmentVariables[key];
    Console.WriteLine($"{key}={value}");
}

I also tried switching my CodeBuild configuration from:

Environment:
  Type: LINUX_LAMBDA_CONTAINER
  ComputeType: BUILD_LAMBDA_2GB
  Image: aws/codebuild/amazonlinux-x86_64-lambda-standard:dotnet8

to:

Environment:
    Type: LINUX_CONTAINER
    ComputeType: BUILD_GENERAL1_SMALL
    Image: aws/codebuild/amazonlinux-x86_64-standard:5.0

And I got the same result, however, it seemed to hang quite a bit longer before throwing the same exception:

[Container] 2025/04/01 21:47:50.702690 Running command dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json
warn: Dotnet.Script.Core.Commands.ExecuteScriptCommand[0]
      The script /codebuild/output/src4042684397/src/LoadStepFunctionPayloads.csx is not cacheable. For caching and optimal performance, ensure that the script only contains NuGet references with pinned/exact versions.
warn: Dotnet.Script.DependencyModel.Context.CachedRestorer[0]
      Unable to cache /root/.cache/dotnet-script/codebuild/output/src4042684397/src/net8.0/script.csproj. For caching and optimal performance, ensure that the script(s) references Nuget packages with a pinned version.
Amazon.Runtime.AmazonServiceException: Unable to find credentials

Exception 1 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.EnvironmentAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__1()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 2 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName)
   at Amazon.Runtime.StoredProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__2()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 3 of 4:
System.InvalidOperationException: The environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY were not set with AWS credentials.
   at Amazon.Runtime.EnvironmentVariablesAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__3()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)

Exception 4 of 4:
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetContents(Uri uri)
   at Amazon.Runtime.InstanceProfileAWSCredentials.<GetAvailableRoles>d__0.MoveNext()
   at Amazon.Runtime.InstanceProfileAWSCredentials.GetFirstRole()
   at Amazon.Runtime.InstanceProfileAWSCredentials..ctor()
   at Amazon.Runtime.FallbackCredentialsFactory.<Reset>b__4()
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)


   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous)
   at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials()
   at Amazon.DynamoDBv2.AmazonDynamoDBClient..ctor(RegionEndpoint region)
   at Submission#0.DynamoDBHelper..ctor(String environment) in /codebuild/output/src4042684397/src/LoadStepFunctionPayloads.csx:line 24
   at Submission#0.<<Initialize>>d__0.MoveNext() in /codebuild/output/src4042684397/src/LoadStepFunctionPayloads.csx:line 59
--- End of stack trace from previous location ---
   at Dotnet.Script.Core.ScriptRunner.Execute[TReturn](String dllPath, IEnumerable`1 commandLineArgs) in C:\Users\runneradmin\AppData\Local\Temp\tmpy4dcdn\Dotnet.Script.Core\ScriptRunner.cs:line 110

[Container] 2025/04/01 21:49:34.697853 Command did not exit successfully dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json exit status 1
[Container] 2025/04/01 21:49:34.704156 Phase complete: BUILD State: FAILED_WITH_ABORT
[Container] 2025/04/01 21:49:34.704173 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json. Reason: exit status 1

[skirk-mpr]

AWS Support replied back with solution. So it looks like the environmental variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (and AWS_SESSION_TOKEN) are not prepopulated at runtime in CodeBuild with the credentials for the associated IAM Role. There is an additional explicit step need to retrieve those temporary credentials via a request to $AWS_CONTAINER_CREDENTIALS_FULL_URI and then setting them.

Happy to confirm that doing exactly this allows the CSX file to execute successfully picking up the credential material from the environmental variables

Thanks @normj, @dscpinheiro and @filipw for your time, attention and support!

version: 0.2
phases:
  install:
    runtime-versions:
      dotnet: 8.0
    commands:
      - curl -qL -o aws_credentials.json $AWS_CONTAINER_CREDENTIALS_FULL_URI > aws_credentials.json
      - export AWS_ACCESS_KEY_ID=$(cat aws_credentials.json | jq -r '.AccessKeyId')
      - export AWS_SECRET_ACCESS_KEY=$(cat aws_credentials.json | jq -r '.SecretAccessKey')
      - export AWS_SESSION_TOKEN=$(cat aws_credentials.json | jq -r '.Token')
      - dotnet script LoadStepFunctionPayloads.csx $ENVIRONMENT workflow_payload_index.json