'IAM Role + Boto3 + Docker container

As far I as I know, boto3 will try to load credentials from the instance metadata service. If I am running this code inside a EC2 instance I expected to hae no problem. But when my code is dockerized how the boto3 will find the metadata service?



Solution 1:[1]

The Amazon ECS agent populates the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable which can be used to get credentials. These special variables are provided only to process with PID 1. Script that is specified in Dockerfile ENTRYPOINT gets PID 1.

There are many networking modes and details might differ for other networking modes. More information can be found in: How can I configure IAM task roles in Amazon ECS to avoid "Access Denied" errors?

For awsvpc networking mode If you would run printenv with PID 1 you would see something similar to this:

AWS_EXECUTION_ENV=AWS_ECS_FARGATE                                                                                                                                        
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/0f891318-ab05-46fe-8fac-d5113a1c2ecd                                                                              
HOSTNAME=ip-172-17-0-123.ap-south-1.compute.internal                                                                                                                     
AWS_DEFAULT_REGION=ap-south-1                                                                                                                                            
AWS_REGION=ap-south-1                                                                                                                                                    
ECS_CONTAINER_METADATA_URI_V4=http://169.254.170.2/v4/2c9107c385e04a70b30d3cc4d4de97e7-527074092                                                                         
ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/2c9107c385e04a70b30d3cc4d4de97e7-527074092                                                                            

It also gets tricky to debug something since after SSH'ing into container you are using PID other than 1 meaning that services that need to get credentials might fail to do so if you run them manually.

ECS task metadata endpoint documentation

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1