-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to configure this to read AWS ECS task definition role credentials #21
Comments
Hi @denis-singh can you provide more details on the error, and how the configuration for the new URL was set ? |
Hi @ddragosd AWS ECS has task roles which you can assign to individual docker containers running on the servers: The task role credentials url is "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI". I think its because the first metadata url return the role name whereas the task role url returns the credentials associated with the role, like so: { |
You might make this work, assuming you can configure in NGINX the role assigned to each docker container. In NGINX config, ensure you expose the ENV VAR to NGINX: # place this above the http {} block
env AWS_CONTAINER_CREDENTIALS_RELATIVE_URI; Then in Lua: local IamCredentials = require "api-gateway.aws.AWSIAMCredentials"
local iam = IamCredentials:new({
security_credentials_host = "169.254.170.2",
security_credentials_url= os.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"),
iam_user="" --leave it empty
}) If this doesn't work we probably need to implement support for IAM Roles for Tasks in AWSIAMCredentials.lua. When AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable is available, it should use the provided credentials to make calls to the AWS APIs. |
…le in ECS That issue was fixed in ad9b8d4 For insight into why this needs to be done see: * adobe-apiplatform/api-gateway-aws#21 (comment) * https://github.com/phusion/passenger-docker#setting-environment-variables-in-nginx
Hi,
I've got this running in a docker container on ECS. Unfortunately it picks up the AWS credentials for the ECS hosts rather than the task definition role, which is specific to the container.
If I configure it to point to the task definition credentials URL,
curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI it throws an error.
The text was updated successfully, but these errors were encountered: