How to run commands with AWS credentials inside docker on EC2?

Question

I have EC2 that has a regular access to S3 via profile:

aws s3 ls --profile myprofile s3://

On the same EC2 I created docker container and installed aws cli tool. Created same ~./aws/config file with same content as on host ec2 but this command from docker container now gives error:

aws s3 ls --profile myprofile s3://
Error when retrieving credentials from Ec2InstanceMetadata: No credentials found in credential_source referenced in profile myprofile

How to enable access to S3 inside container?

Answer 1

There are a few options to do this, and depending on your risk appetite for possible security exposure will help determine what is the way to go.

You can go the route of creating a credentials file externally with static credentials and copying that into ~/.aws/ during Build time. You can even use variables in the file and pass them with ENV or ARG .

If you are using docker-compose then the .env files come into play, with pretty much the same idea as above.

You could call the metadata service of EC2 to retrieve temporary credentials, I do not have much experience cURL'ing that, but there is some info here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-retrieval

You could also cat > ~/.aws out the file, though that would be a pain, and do some variation of ENV vars at the CLI level or with .env's, ENV's or ARGs

IF you are using ECS to run your containers on top of EC2, then you can pass in Variables as a valueFrom in the Task Definition / Container Definition to take them in from Systems Manager Parameter Store (plaintext), or you could encrypt your Parameters with a KMS key or use Plaintext Secrets from Secrets Manager and inject them for your variables.

With the above, you can COPY a variable-ized credentials file, and pass the ENV variables as $(keys) in your Dockerfile, then inject them from Secrets Manager or Parameter Store to give some added security.