Service role not detected on Codebuild runner

[JGoutin]

Describe the feature

I use Self-hosted GitHub Actions runners in AWS CodeBuild to run GitHub actions inside my VPC, but the Codebuild runner service role is not detected.

More globally, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not detected.

Current workaround:

jobs:
  build:
    runs-on:
      - codebuild-builder-${{ github.run_id }}-${{ github.run_attempt }}
    steps:

      - name: Get credentials from CodeBuild
        id: codebuild-creds
        run: |
          CREDS=$(curl -s http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
          echo "::add-mask::$(echo $CREDS | jq -r '.AccessKeyId')"
          echo "::add-mask::$(echo $CREDS | jq -r '.SecretAccessKey')"
          echo "::add-mask::$(echo $CREDS | jq -r '.Token')"
          echo "access-key-id=$(echo $CREDS | jq -r '.AccessKeyId')" >> $GITHUB_OUTPUT
          echo "secret-access-key=$(echo $CREDS | jq -r '.SecretAccessKey')" >> $GITHUB_OUTPUT
          echo "session-token=$(echo $CREDS | jq -r '.Token')" >> $GITHUB_OUTPUT

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          aws-region: eu-west-3
          aws-access-key-id: ${{ steps.codebuild-creds.outputs.access-key-id }}
          aws-secret-access-key: ${{ steps.codebuild-creds.outputs.secret-access-key }}
          aws-session-token: ${{ steps.codebuild-creds.outputs.session-token }}
          force-skip-oidc: true

Use Case

Using "Self-hosted GitHub Actions runners in AWS CodeBuild" without extra steps. Since AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is also used in ECS, may also works with ECS runners.

Proposed Solution

Detect the presence of AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and use it if present. Eventually add an option to ignore it.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change