Menu
We have a docker container running on an ec2 host. Within that docker container we run some aws cli commands. We haven't defined any AWS credentials within the container. This implies that the container inherits Instance Profile of the host ec2.
Is my assumption true? If so, how exactly does the container inherit the instance profile credentials? Secondly (possibly related) what exactly does the aws cli do to obtain the instance profile credentials? Does it make a call to the metadata endpoint (169.254.169.254)? For example if the credentials are picked up from the environment variables, the credentials are hard coded and can be seen but where do the credentials for an instance profile actually reside?
512
If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. When you then use the Amazon EC2 console to launch an instance with an IAM role, you can select a role to associate with the instance.
RUN pip install awscli RUN --mount=type=secret,id=aws,target=/root/. aws/credentials aws s3 cp s3://... ... And you build it with a command in 18.09 or newer like: DOCKER_BUILDKIT=1 docker build -t your_image --secret id=aws,src=$HOME/.
Your answer. Privacy: Your email address will only be used for sending these notifications. EC2 allows you to launch individual instances which you can use for pretty much whatever you like. ECS is a container service, which means it will launch instances that will be ready to launch container applications.
That's correct, the credentials are of the host machine. It gets them from the metadata endpoint, as you suspected.
One solution/workaround to give narrower access is ec2metadataproxy. I haven't used it yet.
The security group access is based on the host container too, unfortunately.
57
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
