Pass AWS credentials (IAM role credentials) to code running in docker container
When running code on an EC2 instance, the SDK you use to access AWS resources, automagically talks to a locally linked web server on 169.254.169.254 and gets that instances
-
Amazon does have some mechanisms for allowing containers to access IAM roles via the SDK and either routing/forwarding requests through the ECS agent container or the host. There is way too much to copy and paste, but using
--net hostis the LEAST recommended option because without additionally filters that allows your container full access to anything it's host has permission to do.https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
declare -a ENVVARS declare AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN get_aws_creds_local () { # Use this to get secrets on a non AWS host assuming you've set credentials via some mechanism in the past, and then don't pass in a profile to gitlab-runner because it doesn't see the ~/.aws/credentials file where it would look up profiles awsProfile=${AWS_PROFILE:-default} AWS_ACCESS_KEY_ID=$(aws --profile $awsProfile configure get aws_access_key_id) AWS_SECRET_ACCESS_KEY=$(aws --profile $awsProfile configure get aws_secret_access_key) AWS_SESSION_TOKEN=$(aws --profile $awsProfile configure get aws_session_token) } get_aws_creds_iam () { TEMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session) AWS_ACCESS_KEY_ID=$(echo $TEMP_ROLE | jq -r . Credentials.RoleAccessKeyID) AWS_SECRET_ACCESS_KEY=$(echo $TEMP_ROLE | jq -r . Credentials.RoleSecretKey) AWS_SESSION_TOKEN=$(echo $TEMP_ROLE | jq -r . Credentials.RoleSessionToken) } get_aws_creds_local get_aws_creds_iam ENVVARS=("AWS_ACCESS_KEY_ID=$ACCESS_KEY_ID" "AWS_SECRET_ACCESS_KEY=$ACCESS_SECRET_ACCESS_KEY" "AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN") # passing creds into GitLab runner gitlab-runner exec docker stepName $(printf " --env %s" "${ENVVARS[@]}") # using creds with a docker container docker run -it --rm $(printf " --env %s" "${ENVVARS[@]}") amazon/aws-cli get-caller-identity
加载中...
- 热议问题