向 ECS/Fargate 中的 AWS CLI 提供凭证

Question

I would like to create an ECS task with Fargate, and have that upload a file to S3 using the AWS CLI (among other things). I know that it's possible to create task roles, which can provide the task with permissions on AWS services/resources. Similarly, in OpsWorks, the AWS SDK is able to query instance metadata to obtain temporary credentials for its instance profile. I also found these docs suggesting that something similar is possible with the AWS CLI on EC2 instances.

Is there an equivalent for Fargate—ie, can the AWS CLI, running in a Fargate container, query the metadata service for temporary credentials? If not, what's a good way to authenticate so that I can upload a file to S3? Should I just create a user for this task and pass in AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables?

(I know it's possible to have an ECS task backed by EC2, but this task is short-lived and run maybe monthly; it seemed a good fit for Fargate.)

Answer 1

"I know that it's possible to create task roles, which can provide the task with permissions on AWS services/resources."

"Is there an equivalent for Fargate"

You already know the answer. The ECS task role isn't specific to EC2 deployments, it works with Fargate deployments as well.

You can get the task metadata, including IAM access keys, through the ECS metadata service . But you don't need to worry about that, because the AWS CLI, and any AWS SDK, will automatically pull that information when it is running inside an ECS task.