How to configure this to read AWS ECS task definition role credentials #21
Comments
|
Hi @denis-singh can you provide more details on the error, and how the configuration for the new URL was set ? |
|
Hi @ddragosd AWS ECS has task roles which you can assign to individual docker containers running on the servers: The task role credentials url is "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI". I think its because the first metadata url return the role name whereas the task role url returns the credentials associated with the role, like so: { |
|
You might make this work, assuming you can configure in NGINX the role assigned to each docker container. In NGINX config, ensure you expose the ENV VAR to NGINX: # place this above the http {} block
env AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;Then in Lua: local IamCredentials = require "api-gateway.aws.AWSIAMCredentials"
local iam = IamCredentials:new({
security_credentials_host = "169.254.170.2",
security_credentials_url= os.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"),
iam_user="" --leave it empty
})If this doesn't work we probably need to implement support for IAM Roles for Tasks in AWSIAMCredentials.lua. When AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable is available, it should use the provided credentials to make calls to the AWS APIs. |
…le in ECS That issue was fixed in ad9b8d4 For insight into why this needs to be done see: * adobe-apiplatform/api-gateway-aws#21 (comment) * https://github.com/phusion/passenger-docker#setting-environment-variables-in-nginx
Hi,
I've got this running in a docker container on ECS. Unfortunately it picks up the AWS credentials for the ECS hosts rather than the task definition role, which is specific to the container.
If I configure it to point to the task definition credentials URL,
curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI it throws an error.
The text was updated successfully, but these errors were encountered: