3

I have an EC2 with a role that gives it full control over others EC2. This role allows calling aws ec2 ... without doing the aws configure step.

However, if I install docker and run a docker container inside that EC2, this container is not able to do the aws ec2 ... without configuring the awscli.

Is there some kind of folder to share of feature to enable in order to run awscli commands inside my container without configuring it with an accesskey/password ?

Romain
  • 799
  • 1
  • 9
  • 29

1 Answers1

3

The aws command is utilizing the IAM instance profile assigned to the EC2 instance, which it is obtaining via the EC2 metadata service. You would need to share that metadata with the Docker container somehow.

Are you using the AWS ECS service? Or are you manually installing and managing docker on an EC2 instance? ECS handles this for you.

Otherwise you might look into something like this Lyft project designed to proxy the EC2 IAM role to the Docker container.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 1
    I'm manually managing Docker from my EC2. And your first solution worked great ! Getting credentials from a call to the [metadatas iam role-name](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) then [exporting the obtained credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) allowed me to perform the awscli commands. I simply don't understand why does this call isn't performed automatically inside the container ? – Romain Sep 19 '18 at 07:06
  • For your point : "The aws command is utilizing the IAM instance profile assigned to the EC2 instance"..... same holds good for source code using aws sdk in EC2 assuming a role? – overexchange Jul 17 '19 at 08:57
  • @overexchange yes, https://aws.amazon.com/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/ – Mark B Jul 17 '19 at 12:57
  • 1
    @MarkB Another question... as we understand `aws` command utilise instance profile from EC2 metadataservice(at http://169.254.169.254/latest/meta-data), but why the same `aws` command running in docker container in EC2, is not able to utilize the same IAM instance profile from the same EC2 metadata service? – overexchange Jul 17 '19 at 13:05
  • It is very strange that I need to explicitly `curl` metadata service URL and retrieve the required role credentials – overexchange Jul 17 '19 at 13:09
  • @overexchange it can be shared with the docker container instances: https://stackoverflow.com/questions/22409367/fetching-aws-instance-metadata-from-within-docker-container Please post a separate question if you are having issues with this. – Mark B Jul 17 '19 at 13:10
  • @MarkB my question is.... why do I need to explicitly curl metadata service, before running `aws` command from docker container? Can't `aws` command fetch this meta data on its own? – overexchange Jul 17 '19 at 13:15
  • @overexchange as I indicated in my last link you can expose the metadata directly to all docker containers running on the EC2 server. You might not want to do that however, as you might want different IAM roles assigned to each docker container, at which point you would need to use one of the solutions I posted in my original answer. – Mark B Jul 17 '19 at 13:18
  • @MarkB I think, if docker container use EC2's network name space by using `--net=host` option for `docker run`, then I need not explicitly fetch metadata from docker container. Is that the right understanding? – overexchange Jul 17 '19 at 13:24
  • @overexchange yes – Mark B Jul 17 '19 at 13:27