7

As far I as I know, boto3 will try to load credentials from the instance metadata service. If I am running this code inside a EC2 instance I expected to hae no problem. But when my code is dockerized how the boto3 will find the metadata service?

p.magalhaes
  • 7,595
  • 10
  • 53
  • 108
  • Crazy that I just googled this and a 2-hour-old question shows up 2nd. Anyway there's this: http://stackoverflow.com/questions/25911000/pass-aws-credentials-iam-role-credentials-to-code-running-in-docker-container – aehlke Jun 29 '16 at 19:16
  • Possible duplicate of [Fetching AWS instance metadata from within Docker container?](https://stackoverflow.com/questions/22409367/fetching-aws-instance-metadata-from-within-docker-container) – bphi May 31 '18 at 11:21

2 Answers2

1

The Amazon ECS agent populates the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable which can be used to get credentials. These special variables are provided only to process with PID 1. Script that is specified in Dockerfile ENTRYPOINT gets PID 1.

There are many networking modes and details might differ for other networking modes. More information can be found in: How can I configure IAM task roles in Amazon ECS to avoid "Access Denied" errors?

For awsvpc networking mode If you would run printenv with PID 1 you would see something similar to this:

AWS_EXECUTION_ENV=AWS_ECS_FARGATE                                                                                                                                        
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/0f891318-ab05-46fe-8fac-d5113a1c2ecd                                                                              
HOSTNAME=ip-172-17-0-123.ap-south-1.compute.internal                                                                                                                     
AWS_DEFAULT_REGION=ap-south-1                                                                                                                                            
AWS_REGION=ap-south-1                                                                                                                                                    
ECS_CONTAINER_METADATA_URI_V4=http://169.254.170.2/v4/2c9107c385e04a70b30d3cc4d4de97e7-527074092                                                                         
ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/2c9107c385e04a70b30d3cc4d4de97e7-527074092

It also gets tricky to debug something since after SSH'ing into container you are using PID other than 1 meaning that services that need to get credentials might fail to do so if you run them manually.

ECS task metadata endpoint documentation

Žilvinas Rudžionis
  • 1,954
  • 20
  • 28
-3

Find .aws folder in ~/.aws in your machine and move this to Docker container's /root folder.

.aws contains files which has AWS KEY and AWS PW. You can easily copy it to currently running container from your local machine by docker cp ~/.aws <containder_id>:/root

snowyBunny
  • 365
  • 4
  • 8
  • 1
    The files in .aws on the EC2 will not exist unless you specifically put them there. That's not what the question was about. – mpenkov Nov 27 '18 at 13:23