19

We have a docker container running on an ec2 host. Within that docker container we run some aws cli commands. We haven't defined any AWS credentials within the container. This implies that the container inherits Instance Profile of the host ec2.

Is my assumption true? If so, how exactly does the container inherit the instance profile credentials? Secondly (possibly related) what exactly does the aws cli do to obtain the instance profile credentials? Does it make a call to the metadata endpoint (169.254.169.254)? For example if the credentials are picked up from the environment variables, the credentials are hard coded and can be seen but where do the credentials for an instance profile actually reside?

n00b
  • 5,843
  • 11
  • 52
  • 82

1 Answers1

15

That's correct, the credentials are of the host machine. It gets them from the metadata endpoint, as you suspected.

One solution/workaround to give narrower access is ec2metadataproxy. I haven't used it yet.

The security group access is based on the host container too, unfortunately.

tedder42
  • 23,519
  • 13
  • 86
  • 102
  • Thanks tedder42. How exactly is the credential obtained? Is there a command I could run on the ec2 to obtain the access, secret + token from the metadata endpoint? – n00b Feb 19 '16 at 08:06
  • 1
    @n00b yes, you can `curl http://169.254.169.254/2014-11-05/meta-data/iam/security-credentials/`. You'll want to use an API/SDK to handle it normally, as they rotate every few hours. – tedder42 Feb 19 '16 at 16:31
  • Thanks tedder42. The command you gave me returned the instance profile name. I then had to add the instance profile name to the url you gave me. i.e. `curl http://169.254.169.254/2014-11-05/meta-data/iam/security-credentials/` – n00b Feb 20 '16 at 05:46
  • Thanks for this answer! Very helpful! I found this additional documentation: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials – aaronsteers Oct 28 '16 at 06:38