CODEWITHSUNDEEP
linuxbashamazon-web-servicesdocker
hyprstack
hyprstack

Reputation: 4228

docker - cannot find aws credentials in container although they exist

Running the following docker command on mac works and on linux, running ubuntu cannot find the aws cli credentials. It returns the following message: Unable to locate credentials Completed 1 part(s) with ... file(s) remaining

The command which runs an image and mounts a data volume and then copies a file from and s3 bucket, and starts the bash shell in the docker container.

sudo docker run -it --rm -v ~/.aws:/root/.aws username/docker-image sh -c 'aws s3 cp s3://bucketname/filename.tar.gz /home/emailer && cd /home/emailer && tar zxvf filename.tar.gz && /bin/bash'

What am I missing here?

This is my Dockerfile:

FROM ubuntu:latest

#install node and npm
RUN apt-get update && \
    apt-get -y install curl && \
    curl -sL https://deb.nodesource.com/setup | sudo bash - && \
    apt-get -y install python build-essential nodejs

#install and set-up aws-cli
RUN sudo apt-get -y install \
    git \
    nano \
    unzip && \
    curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && \
    unzip awscli-bundle.zip

RUN sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws

# Provides cached layer for node_modules
ADD package.json /tmp/package.json
RUN cd /tmp && npm install
RUN mkdir -p /home/emailer && cp -a /tmp/node_modules /home/emailer/

Upvotes: 21

Views: 47107

Answers (8)

Fran
Fran

Reputation: 4182

Another case of Unable to locate credentials inside docker running on an ec2 with the right IAM profile was due to using metadata HTTP tokens required.

When checking iam security-credentials metadata endpoint it would return 401:

curl -I http://169.254.169.254/latest/meta-data/iam/security-credentials/
python
import requests
requests.get('http://169.254.169.254/latest/meta-data/iam/security-credentials/')

You're meant to pass a token, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html

Otherwise set the http token as optional in the instance metadata options config

Upvotes: 1

Mikusher
Mikusher

Reputation: 9

You just have to pass the credential in order to be the AWS_PROFILE, if you do not pass anything it will use the default, but if you want you can copy the default and add your desired credentials.

In Your credentials

[profile_dev]
aws_access_key_id = xxxxxxxxxxxxxxxxxxxxxxxx
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
output = json
region = eu-west-1

In Your docker-compose

version: "3.8"
services:
  cenas:
    container_name: cenas_app
    build: .
    ports:
      - "8080:8080"
    environment:
      - AWS_PROFILE=profile_dev
    volumes:
      - ~/.aws:/app/home/.aws:ro

Upvotes: 0

Bastian Venthur
Bastian Venthur

Reputation: 16570

Mounting $HOME/.aws/ into the container should work. Make sure to mount it as read-only.

It is also worth mentioning, if you have several profiles in your ~/.aws/config -- you must also provide the AWS_PROFILE=somethingsomething environment variable. E.g. via docker run -e AWS_PROFILE=xxx ... otherwise you'll get the same error message (unable to locate credentials).

Update: Added example of the mount command

docker run -v ~/.aws:/root/.aws …

Upvotes: 24

Henrique Schmitt
Henrique Schmitt

Reputation: 195

the only solution that worked for me in this case is:

volumes:
  - ${USERPROFILE}/.aws:/root/.aws:ro

Upvotes: 8

fIwJlxSzApHEZIl
fIwJlxSzApHEZIl

Reputation: 13280

The issue I had was that I was running Docker as root. When running as root it was unable to locate my credentials at ~/.aws/credentials, even though they were valid.

Directions for running Docker without root on Ubuntu are here: https://askubuntu.com/a/477554/85384

Upvotes: 1

Tony Lee
Tony Lee

Reputation: 326

You can use environment variable instead of copying ~/.aws/credentials and config file into container for aws-cli

docker run \ -e AWS_ACCESS_KEY_ID=AXXXXXXXXXXXXE \ -e AWS_SECRET_ACCESS_KEY=wXXXXXXXXXXXXY \ -e AWS_DEFAULT_REGION=us-west-2 \ <img>

Ref: AWS CLI Doc

Upvotes: 8

juicedatom
juicedatom

Reputation: 219

There are a few things that could be wrong. One, as mentioned previously you should check if your ~/.aws/config file is set accordingly. If not, you can follow this link to set it up. Once you have done that you can map the ~/.aws folder using the -v flag on docker run.

If your ~/.aws folder is mapped correctly, make sure to check the permissions on the files under ~/.aws so that they are able to be accessed safely by whatever process is trying to access them. If you are running as the user process, simply running chmod 444 ~/.aws/* should do the trick. This will give full read permissions to the file. Of course, if you want write permissions you can add whatever other modifiers you need. Just make sure the read octal is flipped for your corresponding user and/or group.

Upvotes: 2

devfubar
devfubar

Reputation: 628

what do you see if you run

ls -l ~/.aws/config

within your docker instance?

Upvotes: 7

Related Questions