Alternative method of providing credentials

[benkehoe]

The docs recommend mounting ~/.aws into the container, but this may not work for a variety of reasons (e.g., a custom credential process that's not accessible to the container). An alternative I've discovered is to provide a local IMDSv2 server on the host and use the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable on the container.

I've included this capability in aws-export-credentials. It looks like this:

# in a terminal (choosing 8081 as the port for this example)
$ aws-export-credentials --imds 8081

then in your docker-compose.override.yml from the tutorial, the relevant section would look something like this:

services:
    # This container vends credentials to your containers
    ecs-local-endpoints:
        # The Amazon ECS Local Container Endpoints Docker Image
        image: amazon/amazon-ecs-local-container-endpoints
        volumes:
          # Mount /var/run so we can access docker.sock and talk to Docker
          - /var/run:/var/run
        ports:
          # Map the IMDS server's port from the host
          - "8081:8081"
        environment:
          # use credentials from the IMDS server on the host
          AWS_EC2_METADATA_SERVICE_ENDPOINT=http://host.docker.internal:8081/
        networks:
            credentials_network:
                # This special IP address is recognized by the AWS SDKs and AWS CLI 
                ipv4_address: "169.254.170.2"

[PettitWesley]

Thank you for providing this example.