4/13/22, 4:11 PM amazon web services - CodeBuild with VPC settings fails to download CodeCommit source - Server Fault

CodeBuild with VPC settings fails to download CodeCommit source

Asked
3 years, 3 months ago Modified
2 years ago Viewed
8k times

I originally had a simple CodePipeline setup triggered by commits to a CodeCommit repo, with a
"Stage" that output the source code as an artifact and another "Stage" using CodeBuild to run
7 some code from that source output. Now I want to access RDS in that CodeBuild "Stage", so I
added my RDS's VPC settings to my CodeBuild project.

The problem is that now CodeBuild can no longer access the CodeCommit source. I am receiving
1 the following error:

CLIENT_ERROR: RequestError: send request failed caused by: Get https://mypipeline-

artifactstorebucket-twlrq7tj45fq.s3.amazonaws.com/MYPipeline-data-pipe/RepoSource/PKGw3xs: dial
tcp 52.216.160.35:443: i/o timeout for primary source and source version arn:aws:s3:::mypipeline-
artifactstorebucket-twlrq7tj45fq/MYPipeline-data-pipe/RepoSource/PKGw3xs

Does adding a VPC to a CodeBuild project also remove whatever the default settings are? (maybe
it was originally using the default VPC?)

How can I allow CodeBuild to access both RDS and CodeCommit?

amazon-web-services amazon-vpc aws-codecommit

Share Improve this question Follow edited Jan 10, 2019 at 18:54 asked Jan 10, 2019 at 18:30
twiz
user 295 2 11

From what I see now, AWS forces you to run CodeBuild on a private subnet with a default route to NAT
Gateway.
– jweyrich
Jul 22, 2019 at 14:16

@jweyrich Yep, that's what I found too. I mentioned in a comment on MLu's answer, there is a great AWS
training video that explains setting up subnet + NAT Gateway. If you're not already an expert on those
topics, I highly recommend it: aws.training/learningobject/video?id=16490
–  twiz
Jul 23, 2019 at 11:06

1 Yep, but you only need a private subnet+natgw if you configure it to use a VPC. You're not required to use a
VPC unless the build needs access to a resource in that VPC.
– jweyrich
Jul 25, 2019 at 3:18

Alternatively, you can now use a VPC endpoint to publish the S3 route to the private subnets. It currently
costs 1/4 of what a NAT gateway costs.
– jweyrich
Aug 21, 2019 at 3:38

Sorted by:
https://serverfault.com/questions/948488/codebuild-with-vpc-settings-fails-to-download-codecommit-source 1/4
4/13/22, 4:11 PM amazon web services - CodeBuild with VPC settings fails to download CodeCommit source - Server Fault
y
3 Answers
Highest score (default)

What a VPC-based CodeBuild can access depends on the subnet configuration that you're using
for the CodeBuild container.
4
If you're placing it in a Private subnet make sure that the subnet is configured for internet access
through NAT Gateway.

If you're running it in a Public subnet make sure that it is configured to assign Public IP by
default.

Refer to this answer for more info: Public and private subnet in VPC

And also make sure that there are no other restrictions in place, e.g. the Security Group permits
outbound access to the internet, there are no NACLs in place, etc.

Simple test: is to spin up a tiny EC2 instance in the same subnet where you're running your
CodeBuild containers and test from there if it can reach the codebuild endpoint (e.g. curl
https://mypipeline-artifactstorebucket.../PKGw3xs ).

In other words: Yes, CodeBuild can be run in a VPC and still have access to CodeCommit but your
subnet network config must be correct.

Hope that helps :)

Share Improve this answer Follow answered Jan 10, 2019 at 22:30
MLu
user 23.1k 5 53 79

1 Thanks! I think this pointed me in the right direction, but now I am wondering if this can also be
accomplished using a "VPC Endpoint" for S3: docs.aws.amazon.com/vpc/latest/userguide/vpc-
endpoints.html I'm experimenting with it, but haven't yet had success. Do you have any insight about using
endpoints to accomplish this?
–  twiz
Jan 11, 2019 at 16:55

So I did eventually get this working. This answer was really helpful, but has a couple issues. Apparently AWS
prevents CodeBuild from working on public subnets, so you need to use a private one. Testing on EC2 is a
good suggestion, but it is a bit complicated since it needs to be on a private subnet. Also, I think maybe my
question doesn't have a definite answer beyond "setup your VPC correctly". If anyone is confused about
VPCs like I was, I highly recommend watching the AWS training video "Subnets, Gateways, and Route Tables
Explained" at aws.training
–  twiz
Apr 8, 2019 at 12:47

I had this same problem, trying to have CodeBuild retrieve code from CodeDeploy so it could
deploy code to RDS in a VPC. When CodeBuild was outside the VPC it could connect to
3 CodeCommit fine, but once I put CodeDeploy into VPC the error message was

https://serverfault.com/questions/948488/codebuild-with-vpc-settings-fails-to-download-codecommit-source 2/4
4/13/22, 4:11 PM amazon web services - CodeBuild with VPC settings fails to download CodeCommit source - Server Fault

CLIENT_ERROR: Get https://git-codecommit.ap-southeast-2.amazonaws.com/v1/repos/repo-

name/info/refs?service=name: dial tcp 1.2.3.4:443: i/o timeout for primary source and source

version refs/heads/master

I couldn't find any documentation about this at all, so I resorted to trial and error based on what
is written above. I went through quite a few combinations of things to work out what worked and
what didn't. Here's what I found:

CodeBuild needs to be associated with a VPC. I imagine that CodeBuild allocates an ENI
(private IP address, effectively) in the VPC.
CodeBuild needs to be associated with a security group that allows egress to the VPC CIDR
range. It doesn't seem to need ingress rules, which makes sense, as nothing is calling into
CodeCommi.

You need a git-codecommit interface endpoint ( com.amazonaws.ap-southeast-2.git-

codecommit )
The git-codecommit endpoint needs to be associated with a security group that allows
ingress from CodeBuild. The easiest way to do this is probably just to allow ingress from the
VPC range, but you can probably just reference the security group that CodeBuild uses for
ingress.

It makes no difference whether an internet gateway / route to the internet is present. I was
initially doing this in a private subnet with no internet access, but then added an internet
gateway, associated it with the VPC, then routed the subnets to the internet gateway
(0.0.0.0/0)

Hopefully this helps someone else connect CodeBuild or CodePipeline to a VPC to deploy to EC2,
RDS, ECS, or other services.

Share Improve this answer Follow answered Apr 2, 2020 at 7:30

Tim
user 29k 5 43 74

Thank you very much. That was super helpful. Any idea why I can't see any build logs when have the build
project in. VPC?
– DrkStr
Nov 11, 2020 at 8:18

Note: you will need to create another endpoint with com.amazonaws.<region>.logs if you want to see your
build logs
– DrkStr
Nov 11, 2020 at 8:42

I had such error when I condfigured

0 Type: AWS::CodeBuild::Project

Properties:

Source:

BuildSpec: buildspec-ProdCf.yml
https://serverfault.com/questions/948488/codebuild-with-vpc-settings-fails-to-download-codecommit-source 3/4
4/13/22, 4:11 PM amazon web services - CodeBuild with VPC settings fails to download CodeCommit source - Server Fault
BuildSpec: buildspec ProdCf.yml

....

but in fact the yml file was in a subdirectory.

Share Improve this answer Follow answered Apr 8, 2019 at 11:19

Putnik
1,985 3 22 39

https://serverfault.com/questions/948488/codebuild-with-vpc-settings-fails-to-download-codecommit-source 4/4