通过AWS凭证（IAM角色凭据）在docker容器中运行代码 [英] Pass AWS credentials (IAM role credentials) to code running in docker container

问题描述

在EC2实例上运行代码时，您用于访问AWS资源的SDK在169.254.169.254上自动与本地链接的Web服务器进行交互，并获取与其他用户通信所需的实例AWS凭据（access_key，secret） AWS服务。

When running code on an EC2 instance, the SDK you use to access AWS resources, automagically talks to a locally linked web server on 169.254.169.254 and gets that instances AWS credentials(access_key, secret) that are needed to talk to other AWS services.

还有其他选项，如设置ENV变量中的凭据或将其作为命令行参数传递...

Also there are other options, like setting the credentials in ENV variables or passing them as command line args ...

这里最好的做法是什么？我更喜欢让容器访问169.254.169.254（通过路由请求），或者更好地运行一个模仿真实服务器的行为的代理容器在169.254.169.254。

What is the best practice here? I really prefer to let the container access the 169.254.169.254 (by routing the requests) or even better run a proxy container that mimics the behavior of the real server at 169.254.169.254.

是否有解决方案？

推荐答案

EC2元数据服务通常可以从码头中获得（除非您使用更定制的网络设置 - 请参阅此答案上类似的问题）

The EC2 metadata service will usually be available from within docker (unless you use a more custom networking setup - see this answer on a similar question).

如果您的Docker网络设置阻止访问，您可以在 ENV code> Dockerfile 或在运行期间直接传递它们，但请记住，IAM角色的凭据将由AWS自动轮换。

If your docker network setup prevents it from being accessed, you might use the ENV directive in your Dockerfile or pass them directly during run, but keep in mind that credentials from IAM roles are automatically rotated by AWS.

这篇关于通过AWS凭证（IAM角色凭据）在docker容器中运行代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！