Docker Build using an Assumed Role Profile

Question

I want to build a docker image locally that copies an s3 file and sets it as the file to be executed by the container.

How can I reference the proper profile I'm needing for the S3 Bucket inside the docker file without using access keys?

dockerfile:

FROM onesysadmin/awscli:latest
RUN aws s3 cp s3://sample-bucket-dev-us-east-1/test_script.sh test_script.sh
RUN chmod 755 test_script.sh
CMD test_script.sh

.aws/credentials:

[master]
aws_access_key_id = ASIASF.......
aws_secret_access_key = 75opt1.......
aws_session_token = FwoGZXIvYXdzE......
aws_security_token = FwoGZXIvYXdzEFwoGZ......

[master-dev]
region = us-east-1
role_arn = arn:aws:iam::1234567890:role/master-admin
source_profile = master

ie..I want to be able to use master-dev as the profile in my docker build command.

Answer 1

I ended up using the docker buildkit .

I'm on a mac and had to change my 'docker desktop' settings to true for experimental (Docker --> Preferences --> Docker Engine):

{
  "debug": true,
  "experimental": true
}

Then I changed my dockerfile:

# syntax = docker/dockerfile:experimental
FROM onesysadmin/awscli:latest
ARG PROFILE
ENV AWS_DEFAULT_PROFILE=$PROFILE
RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws sts get-caller-identity
RUN --mount=type=secret,id=aws,target=/root/.aws/credentials aws s3 cp s3://sample-bucket-dev-us-east-1/test_script.sh test_script.sh
RUN chmod 755 test_script.sh
CMD test_script.sh

And finally ran the build command:

DOCKER_BUILDKIT=1 docker build -t testing --build-arg PROFILE=master-dev \
--secret id=aws,src=$HOME/.aws/credentials .