[英]IAM Role + Boto3 + Docker container
As far I as I know, boto3 will try to load credentials from the instance metadata service.据我所知,boto3 将尝试从实例元数据服务加载凭据。 If I am running this code inside a EC2 instance I expected to hae no problem.如果我在 EC2 实例中运行此代码,我预计不会有任何问题。 But when my code is dockerized how the boto3 will find the metadata service?但是当我的代码被 dockerized 时,boto3 将如何找到元数据服务?
The Amazon ECS agent populates the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
environment variable which can be used to get credentials. Amazon ECS 代理填充AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
环境变量,该变量可用于获取凭证。 These special variables are provided only to process with PID 1. Script that is specified in Dockerfile ENTRYPOINT
gets PID 1.这些特殊变量仅用于使用 PID 1 进行处理。 Dockerfile ENTRYPOINT
指定的脚本获取 PID 1。
There are many networking modes and details might differ for other networking modes.有多种联网模式,其他联网模式的详细信息可能会有所不同。 More information can be found in: How can I configure IAM task roles in Amazon ECS to avoid "Access Denied" errors?更多信息可以在: 如何在 Amazon ECS 中配置 IAM 任务角色以避免“访问被拒绝”错误?
For awsvpc
networking mode If you would run printenv
with PID 1 you would see something similar to this:对于awsvpc
网络模式如果您使用 PID 1 运行printenv
,您会看到类似以下内容:
AWS_EXECUTION_ENV=AWS_ECS_FARGATE
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/0f891318-ab05-46fe-8fac-d5113a1c2ecd
HOSTNAME=ip-172-17-0-123.ap-south-1.compute.internal
AWS_DEFAULT_REGION=ap-south-1
AWS_REGION=ap-south-1
ECS_CONTAINER_METADATA_URI_V4=http://169.254.170.2/v4/2c9107c385e04a70b30d3cc4d4de97e7-527074092
ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/2c9107c385e04a70b30d3cc4d4de97e7-527074092
It also gets tricky to debug something since after SSH'ing into container you are using PID other than 1 meaning that services that need to get credentials might fail to do so if you run them manually.调试某些东西也很棘手,因为在 SSH 进入容器后,您使用的 PID 不是 1,这意味着如果您手动运行需要获取凭据的服务可能无法这样做。
ECS task metadata endpoint documentation ECS 任务元数据端点文档
Find .aws folder in ~/.aws in your machine and move this to Docker container's /root folder.在您的机器中的 ~/.aws 中找到 .aws 文件夹并将其移动到 Docker 容器的 /root 文件夹。
.aws contains files which has AWS KEY and AWS PW. .aws 包含具有 AWS KEY 和 AWS PW 的文件。 You can easily copy it to currently running container from your local machine by docker cp ~/.aws <containder_id>:/root
您可以通过docker cp ~/.aws <containder_id>:/root
轻松地将它从本地机器复制到当前正在运行的容器中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.