confused about: --container-env-var

[autohandle]

Question
when it says:
Environment variables to pass to the build container.

if i pass via sam build:
--container-env-var ReadByIdFunction.GITHUB_TOKEN=TOKEN1 --container-env-var GLOBAL_GITHUB_TOKEN=GLOBAL_TOKEN

in the Dockerfile, should i be able to:
FROM public.ecr.aws/lambda/python:3.7
COPY appRead.py requirements.txt ./
RUN printenv
RUN echo "GLOBAL_GITHUB_TOKEN:" ${GLOBAL_GITHUB_TOKEN}

and see the environment variable?

[RonitRudra]

Neither --container-env-var nor --container-env-var-file has worked when trying to pass in variables during build. I am trying to set up credentials inside the container to access various resources.

[autohandle]

hmmm — so, this should be a bug, instead of a question? if so, any idea how to change the label?

[RonitRudra]

This has to go into a Bug Report issue since it has a template you can fill out.

[qingchm]

@RonitRudra @autohandle Hi guys can you guys provide the full sam commands that you used, and maybe the part of your template that's key for the build?

[autohandle]

i'm using the pycharm awstoolkit, but here is a partial run where i copied the toolkit command over, added debug, and ran it:

(base) MacBookPro2018:read david$ /usr/local/homebrew/bin/sam build ReadByIdFunction --debug --template /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml --build-dir /Users/david/Documents/amazonws/lambda/python/CrudInImage/.aws-sam/build --use-container --container-env-var ReadByIdFunction.GITHUB_TOKEN=TOKEN1 --container-env-var GLOBAL_GITHUB_TOKEN=GLOBAL_TOKEN
2021-06-21 10:24:38,441 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2021-06-21 10:24:38,442 | Using config file: samconfig.toml, config environment: default
2021-06-21 10:24:38,442 | Expand command line arguments to:
2021-06-21 10:24:38,442 | --template_file=/Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml --build_dir=/Users/david/Documents/amazonws/lambda/python/CrudInImage/.aws-sam/build --use_container --container_env_var=('ReadByIdFunction.GITHUB_TOKEN=TOKEN1', 'GLOBAL_GITHUB_TOKEN=GLOBAL_TOKEN') --resource_logical_id=ReadByIdFunction --cache_dir=.aws-sam/cache
2021-06-21 10:24:38,499 | 'build' command is called
2021-06-21 10:24:38,499 | Starting Build inside a container
2021-06-21 10:24:38,510 | No Parameters detected in the template
2021-06-21 10:24:38,534 | 5 stacks found in the template
2021-06-21 10:24:38,535 | No Parameters detected in the template
2021-06-21 10:24:38,571 | 5 resources found in the stack
2021-06-21 10:24:38,571 | No Parameters detected in the template
2021-06-21 10:24:38,593 | Found Serverless function with name='HelloWorldFunction' and ImageUri='None'
2021-06-21 10:24:38,593 | --base-dir is not presented, adjusting uri ./hello_world relative to /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml
2021-06-21 10:24:38,594 | --base-dir is not presented, adjusting uri . relative to /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml
2021-06-21 10:24:38,594 | Found Serverless function with name='ReadByIdFunction' and ImageUri='None'
2021-06-21 10:24:38,594 | --base-dir is not presented, adjusting uri ./read relative to /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml
2021-06-21 10:24:38,594 | --base-dir is not presented, adjusting uri . relative to /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml
2021-06-21 10:24:38,594 | No Parameters detected in the template
2021-06-21 10:24:38,614 | --base-dir is not presented, adjusting uri ../SharedMongo relative to /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml
2021-06-21 10:24:38,615 | --base-dir is not presented, adjusting uri ../SharedDocker relative to /Users/david/Documents/amazonws/lambda/python/CrudInImage/template.yaml
2021-06-21 10:24:38,616 | Instantiating build definitions
2021-06-21 10:24:38,619 | Unique function build definition found, adding as new (Function Build Definition: BuildDefinition(None, /Users/david/Documents/amazonws/lambda/python/CrudInImage, Image, , bbd037f4-665f-473a-8d54-159b33612c35, {'DockerTag': 'python3.7-v1', 'DockerContext': '/Users/david/Documents/amazonws/lambda/python/CrudInImage/read', 'Dockerfile': 'Dockerfile'}, {'GLOBAL_GITHUB_TOKEN': 'GLOBAL_TOKEN', 'GITHUB_TOKEN': 'TOKEN1'}, []), Function: Function(name='ReadByIdFunction', functionname='ReadByIdFunction', runtime=None, memory=None, timeout=20, handler=None, imageuri=None, packagetype='Image', imageconfig=None, codeuri='/Users/david/Documents/amazonws/lambda/python/CrudInImage', environment={'Variables': {'email': 'mongodb@autohandle.com', 'databaseAuthorization': 'myMongoDB', 'databaseUser': 'MonngodbUser', 'databasePassword': 'oydiXQ2mJslPummH', 'databaseName': 'myDB'}}, rolearn=None, layers=[], events={'ReadById': {'Type': 'Api', 'Properties': {'Path': '/read/{Id}', 'Method': 'get', 'RestApiId': 'ServerlessRestApi'}}}, metadata={'DockerTag': 'python3.7-v1', 'DockerContext': '/Users/david/Documents/amazonws/lambda/python/CrudInImage/read', 'Dockerfile': 'Dockerfile'}, inlinecode=None, codesign_config_arn=None, stack_path=''))
2021-06-21 10:24:38,619 | Building codeuri: /Users/david/Documents/amazonws/lambda/python/CrudInImage runtime: None metadata: {'DockerTag': 'python3.7-v1', 'DockerContext': '/Users/david/Documents/amazonws/lambda/python/CrudInImage/read', 'Dockerfile': 'Dockerfile'} functions: ['ReadByIdFunction']
2021-06-21 10:24:38,619 | Building to following folder /Users/david/Documents/amazonws/lambda/python/CrudInImage/.aws-sam/build/ReadByIdFunction
2021-06-21 10:24:38,619 | Building image for ReadByIdFunction function
2021-06-21 10:24:38,625 | Setting DockerBuildArgs: {} for ReadByIdFunction function
Step 1/22 : FROM public.ecr.aws/lambda/python:3.7
---> 23efe277ce24
Step 2/22 : COPY appRead.py requirements.txt ./
---> Using cache
---> 559b97196a8a
Step 3/22 : RUN uname -anm
---> Running in 8c1cb64d4289
Linux 8c1cb64d4289 4.19.121-linuxkit #1 SMP Tue Dec 1 17:50:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
---> 62beb2ab9582
Step 4/22 : RUN printenv
---> Running in 5ee02908eed3
HOSTNAME=5ee02908eed3
LAMBDA_TASK_ROOT=/var/task
LD_LIBRARY_PATH=/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib
PATH=/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin
PWD=/var/task
LAMBDA_RUNTIME_DIR=/var/runtime
LANG=en_US.UTF-8
TZ=:/etc/localtime
SHLVL=1
HOME=/root
_=/usr/bin/printenv
---> c8b8c72aeb73
Step 5/22 : RUN echo "GLOBAL_GITHUB_TOKEN:" ${GLOBAL_GITHUB_TOKEN}
---> Running in ce148e2aa212
GLOBAL_GITHUB_TOKEN:
---> 015169d25038
Step 6/22 : RUN pwd
---> Running in 515ec7291285
/var/task
---> b63a2b90182b
Step 7/22 : RUN ls -altr
---> Running in 6985dde8da54
total 16
drwxr-xr-x 1 root root 4096 May 18 18:04 ..
-rw-r--r-- 1 root root 3630 Jun 19 19:48 appRead.py
-rw-r--r-- 1 root root 964 Jun 20 00:26 requirements.txt
drwxr-xr-x 1 root root 4096 Jun 20 00:26 .
---> 254ef3ed09fd
Step 8/22 : RUN mkdir /tmp/build/
---> Running in b8cc317c8568
---> 4a00a3ed250e
Step 9/22 : COPY . /tmp/build
---> fb1871a6b785
Step 10/22 : RUN df -k
---> Running in ea6766596d00
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 61255492 22106272 36007896 39% /
tmpfs 65536 0 65536 0% /dev
tmpfs 1018816 0 1018816 0% /sys/fs/cgroup
shm 65536 0 65536 0% /dev/shm
/dev/vda1 61255492 22106272 36007896 39% /etc/hosts
tmpfs 1018816 0 1018816 0% /proc/acpi
tmpfs 1018816 0 1018816 0% /sys/firmware
---> e7e1b2594ae2
Step 11/22 : RUN ls -al /

there is some Layer stuff mixed in, as well, & i'm having trouble with that too

[RonitRudra]

Here's a snippet (modified for brevity) from an application I was working on which essentially needs aws credentials inside the container to be able to login against CodeArtifact to pull private packages and get published layers:

template.yaml is as follows:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  Function:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      MemorySize: 10240
      Timeout: 900
    Metadata:
      Dockerfile: Dockerfile
      DockerContext: .

Dockerfile is as follows:

FROM python:3.8-buster as build

ENV AWS_DEFAULT_REGION='us-east-2'
ENV AWS_ACCESS_KEY_ID=''
ENV AWS_SECRET_ACCESS_KEY=''

WORKDIR /work

RUN mkdir -p /opt /function

RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
RUN unzip awscliv2.zip
RUN ./aws/install
RUN rm -rf aws awscliv2.zip


RUN curl $(aws lambda get-layer-version-by-arn --arn "<layer_arn>" --query 'Content.Location' --output text) --output layer.zip
RUN unzip layer.zip -d /opt
RUN rm layer.zip


RUN aws codeartifact login  --domain <domain> --repository <repository> --tool pip

WORKDIR /function

COPY src ./


RUN python -m pip install -r requirements.txt --target .


FROM public.ecr.aws/lambda/python:3.8

WORKDIR /opt

COPY --from=build /opt .

WORKDIR ${LAMBDA_TASK_ROOT}

COPY --from=build /function .

CMD ["handlers.handle"]

Building application using SAM CLI:
sam build --use-container -e AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id) -e AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key)

The unexpected behavior being the passed environment variables not overwriting the defaults set in the Dockerfile.

[RonitRudra]

here's the debug output from the application, sensitive values redacted:

1. 2021-06-22 15:46:08,460 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2. 2021-06-22 15:46:08,462 | Using config file: samconfig.toml, config environment: default
3. 2021-06-22 15:46:08,462 | Expand command line arguments to:
4. 2021-06-22 15:46:08,462 | --template_file=/mnt/c/u/okl-pim-etl/template.yaml --use_container --container_env_var_file=./env.json --build_dir=.aws-sam/build --cache_dir=.aws-sam/cache
5. 2021-06-22 15:46:08,521 | 'build' command is called
6. 2021-06-22 15:46:08,521 | Starting Build inside a container
7. 2021-06-22 15:46:08,531 | Collected default values for parameters: {'LogicalName': 'okl-pim-etl'}
8. 2021-06-22 15:46:08,555 | 3 stacks found in the template
9. 2021-06-22 15:46:08,556 | Collected default values for parameters: {'LogicalName': 'okl-pim-etl'}
10. 2021-06-22 15:46:08,575 | 3 resources found in the stack
11. 2021-06-22 15:46:08,576 | Collected default values for parameters: {'LogicalName': 'okl-pim-etl'}
12. 2021-06-22 15:46:08,602 | Found Serverless function with name='ActiveCatalog' and ImageUri='None'
13. 2021-06-22 15:46:08,602 | --base-dir is not presented, adjusting uri . relative to /mnt/c/u/okl-pim-etl/template.yaml
14. 2021-06-22 15:46:08,603 | --base-dir is not presented, adjusting uri . relative to /mnt/c/u/okl-pim-etl/template.yaml
15. 2021-06-22 15:46:08,603 | Collected default values for parameters: {'LogicalName': 'okl-pim-etl'}
16. 2021-06-22 15:46:08,625 | Instantiating build definitions
17. 2021-06-22 15:46:08,630 | Unique function build definition found, adding as new (Function Build Definition: BuildDefinition(python3.8, /mnt/c/u/okl-pim-etl, Image, , 0a7e90dc-191f-49cd-920a-ac92d9bc388c, {'Dockerfile': './docker/active_catalog/Dockerfile', 'DockerContext': '/mnt/c/u/okl-pim-etl'}, {'AWS_ACCOUNT_ID': '<>', 'AWS_REGION': 'us-east-2', 'AWS_ACCESS_KEY_ID': '<>', 'AWS_SECRET_ACCESS_KEY': '<>'}, []), Function: Function(name='ActiveCatalog', functionname='ActiveCatalog', runtime='python3.8', memory=10240, timeout=900, handler=None, imageuri=None, packagetype='Image', imageconfig=None, codeuri='/mnt/c/u/okl-pim-etl', environment={'Variables': {'SERVICE_LOGICAL_NAME': 'okl-pim-etl'}}, rolearn=None, layers=[], events=None, metadata={'Dockerfile': './docker/active_catalog/Dockerfile', 'DockerContext': '/mnt/c/u/okl-pim-etl'}, inlinecode=None, codesign_config_arn=None, stack_path=''))
18. 2021-06-22 15:46:08,632 | Building codeuri: /mnt/c/u/okl-pim-etl runtime: python3.8 metadata: {'Dockerfile': './docker/active_catalog/Dockerfile', 'DockerContext': '/mnt/c/u/okl-pim-etl'} functions: ['ActiveCatalog']
19. 2021-06-22 15:46:08,632 | Building to following folder /mnt/c/u/okl-pim-etl/.aws-sam/build/ActiveCatalog
20. 2021-06-22 15:46:08,633 | Building image for ActiveCatalog function
21. 2021-06-22 15:46:08,639 | Setting DockerBuildArgs: {} for ActiveCatalog function
22. Step 1/27 : FROM python:3.8-buster as build
23.  ---> e7d3be492e61
24. Step 2/27 : ENV AWS_ACCOUNT_ID=''
25.  ---> Using cache
26.  ---> 5c6d53487247
27. Step 3/27 : ENV AWS_REGION=''
28.  ---> Using cache
29.  ---> 53ff8af2b6bc
30. Step 4/27 : ENV AWS_ACCESS_KEY_ID=''
31.  ---> Using cache
32.  ---> ef583bac31a2
33. Step 5/27 : ENV AWS_SECRET_ACCESS_KEY=''
34.  ---> Using cache
35.  ---> f3a5b213bfa4
36. Step 6/27 : WORKDIR /work
37.  ---> Using cache
38.  ---> ba32118ae3cc
39. Step 7/27 : RUN mkdir -p /opt /function
40.  ---> Using cache
41.  ---> 5e68f6847e98
42. Step 8/27 : RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
43.  ---> Using cache
44.  ---> 9d0202ca3f97
45. Step 9/27 : RUN unzip -q awscliv2.zip
46.  ---> Running in cf4a37f3e46c
47.  ---> 5d130837e501
48. Step 10/27 : RUN ./aws/install
49.  ---> Running in c9d4686b92c8
50. You can now run: /usr/local/bin/aws --version
51.  ---> 23b9ec96db2a
52. Step 11/27 : RUN rm -rf aws awscliv2.zip
53.  ---> Running in 11808d247c50
54.  ---> d875d8753913
55. Step 12/27 : RUN curl $(aws lambda get-layer-version-by-arn --arn "arn:aws:lambda:${AWS_REGION}:${AWS_ACCOUNT_ID}:layer:layer-python-oracle-${AWS_REGION}-${AWS_ACCOUNT_ID}:3" --query 'Content.Location' --output text --region ${AWS_REGION}) --output layer.zip
56.  ---> Running in f9b13710774f
57. 
58. usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
59. To see help text, you can run:
60. 
61.   aws help
62.   aws <command> help
63.   aws <command> <subcommand> help
64. 
65. aws: error: argument --region: expected one argument
66. 
67. curl: no URL specified!
68. curl: try 'curl --help' or 'curl --manual' for more information
69. 
70. Build Failed
71. 2021-06-22 15:46:19,817 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': '10de7424-10fa-458e-acf4-67cce825eba3', 'installationId': 'c4e02413-250c-4fab-bd7e-462f9dce1a1d', 'sessionId': '8f40a06a-06e8-49d4-b9e5-37ba5ac15ce9', 'executionEnvironment': 'CLI', 'ci': False, 'pyversion': '3.7.10', 'samcliVersion': '1.24.1', 'awsProfileProvided': True, 'debugFlagProvided': True, 'region': 'us-east-2', 'commandName': 'sam build', 'duration': 11354, 'exitReason': 'DockerBuildFailed', 'exitCode': 1}}]}
72. 2021-06-22 15:46:20,463 | Telemetry response: 200
73. Error: ActiveCatalog failed to build: The command '/bin/sh -c curl $(aws lambda get-layer-version-by-arn --arn "arn:aws:lambda:${AWS_REGION}:${AWS_ACCOUNT_ID}:layer:layer-python-oracle-${AWS_REGION}-${AWS_ACCOUNT_ID}:3" --query 'Content.Location' --output text --region ${AWS_REGION}) --output layer.zip' returned a non-zero code: 2

As you can see, aws lambda get-layer-version-by-arn fails validation on the --region parameter being null even though you can see us-east-2 detected in the environment arguments on line 17.

[qingchm]

@autohandle Hey first off to answer your question, reading from the line Found Serverless function with name='HelloWorldFunction' and ImageUri='None', I think that you have defined a package type that is not "ZIP", so the CLI recognized your function to have package type "IMAGE" and was looking for an image URI, however container env vars are only supported in functions with package type "ZIP" so far. This should be the reason that you are encountering this behaviour, please make sure your package type is "ZIP" if you do not intend to provide an image URI for your function. Let me know if this doesn't answer your question!

[qingchm]

@RonitRudra to answer your question, you are using package type as "IMAGE" as well, so unfortunately this feature is only meant for ZIP package types so far. That is why you are experiencing this issue. If you consider using env vars for image type builds as a necessary CLI feature please open a feature request and we can have more detailed discussion on this. Sorry about the inconveniences.

[RonitRudra]

@qingchm thank you for the clarification. The documentation here was a bit misleading on what -e and -ef flags supported. I guess for now I'll resort to using regular docker build to pass in build-time environment variables as that method does work the exact same way apart from generating the exportable build template which will now have to be done manually.

I'll draft up a feature request soon.

[qingchm]

Thanks for understanding ;)

[autohandle]

@qingchm
is this true (unsupported in package type Image) for layers, as well (AWS::Serverless::LayerVersion)?

[qingchm]

@qingchm
is this true (unsupported in package type Image) for layers, as well (AWS::Serverless::LayerVersion)?

Hey @autohandle that is true, it's the same behaviour for functions and layers!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[filipre]

Setting environment variables within the template.yml file seems to work for me

Environment:
  Variables:
    SOME_ENV: "test"

[wesleyjin]

The only way I was able to get this working was by placing the variable in the Function's Metadata.DockerBuildArgs:

    Metadata:
      Dockerfile: <PATH_TO_DOCKERFILE>
      DockerContext: <CONTEXT>
      DockerBuildArgs:
        GITHUB_TOKEN: <TOKEN_HERE>

tried using both secretsmanager and ssm with the {{resolve:}} dynamic fields, but those get evaluated as string literals when running sam build. This is not ideal for production since we have to embed the secret in the template.yml file.

Until this feature gets added, using an intermediate Docker container to build dependencies, and then copying the libs over to the runtime image.

[royassis]

Hey, does anybody knows how to use the --container-env-var in the rest of the code ? Where can I reference them ? from the docs it seems that it's a good way to pass a github token, still can't figure out how to use it.

[bbrummer]

Setting environment variables within the template.yml file seems to work for me

Environment:
  Variables:
    SOME_ENV: "test"

This should only apply to the running function in AWS, it doesn't get passed to the local build/package step of "sam build".

[tomblaze]

Added this comment in a few places, but I think this approach might address some use cases: #3571 (comment)