Docker容器似乎“继承”了主机ec2的实例配置文件。怎么样? [英] Docker containers seem to 'inherit' the instance profile of the host ec2. How?
问题描述
我们有一个在ec2主机上运行的docker容器。在该docker容器中,我们运行一些aws cli命令。我们尚未在容器中定义任何AWS凭证。这意味着容器继承了主机ec2的实例配置文件。
We have a docker container running on an ec2 host. Within that docker container we run some aws cli commands. We haven't defined any AWS credentials within the container. This implies that the container inherits Instance Profile of the host ec2.
我的假设是否正确?如果是这样,那么容器将如何准确地继承实例配置文件凭据?其次(可能相关),aws cli到底做了什么以获取实例配置文件凭证?它是否调用元数据终结点(169.254.169.254)?例如,如果凭证是从环境变量中提取的,则凭证是经过硬编码的并且可以看到,但是实例配置文件的凭证实际位于何处?
Is my assumption true? If so, how exactly does the container inherit the instance profile credentials? Secondly (possibly related) what exactly does the aws cli do to obtain the instance profile credentials? Does it make a call to the metadata endpoint (169.254.169.254)? For example if the credentials are picked up from the environment variables, the credentials are hard coded and can be seen but where do the credentials for an instance profile actually reside?
推荐答案
是的,凭据是主机的。
That's correct, the credentials are of the host machine. It gets them from the metadata endpoint, as you suspected.
提供狭窄访问范围的一种解决方案/解决方法是 ec2metadataproxy 。我还没有用过。
One solution/workaround to give narrower access is ec2metadataproxy. I haven't used it yet.
不幸的是,安全组访问也是基于主机容器的。
The security group access is based on the host container too, unfortunately.
这篇关于Docker容器似乎“继承”了主机ec2的实例配置文件。怎么样?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
