Reputation: 629
Error [CredentialsError]: Missing credentials in config, but only when running on Fargate AWS
I built a dockerfile and docker-compose.yml file to import the environment. The environment looks like this:
AWS_ACCESS_KEY_ID=XXX
AWS_SECRET_ACCESS_KEY=XXX
ROLE_ARN=XXX
BUCKET_NAME=BUCKET
AWS_PROFILE=default
AWS_SDK_LOAD_CONFIG=1
AWS_SHARED_CREDENTIALS_FILE=[path]
AWS_CONFIG_FILE=[path]
AWS_REGION=region
When I tried to upload file to S3, it works perfect when i run that docker on my PC using docker-compose up but whenever I ran it on Fargate, I got this error
Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
at Request.extractError (/home/myuser/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/myuser/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/myuser/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/myuser/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/myuser/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/myuser/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at callNextListener (/home/myuser/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
at IncomingMessage.onEnd (/home/myuser/node_modules/aws-sdk/lib/event_listeners.js:307:13)
at IncomingMessage.emit (events.js:322:22)
at IncomingMessage.EventEmitter.emit (domain.js:482:12) {
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: {
message: 'Could not load credentials from ChainableTemporaryCredentials',
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: {
message: 'Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
code: 'CredentialsError',
time: 2020-06-11T12:47:25.609Z,
requestId: '0d6fd3d4-df21-4195-a6e4-de470006429d',
statusCode: 403,
retryable: false,
retryDelay: 80.8300420619739,
originalError: [Object]
}
}
}
Here is a part of my code for the credentials:
var envCreds = new AWS.EnvironmentCredentials('AWS');
s3.config.credentials = envCreds;
s3.config.credentials = new AWS.ChainableTemporaryCredentials({
params: {
RoleArn: process.env.ROLE_ARN,
region: process.env.AWS_REGION
}
});
I need to switch role. I have tried using SharedIniFileCredentials but no lucks, I always got AccessDenied.
I used console log to log the credential, the only difference is
region was set to ap-northeast-1 on Fargate while it was undefined on local. Since the bucket and Fargate are on the same server. I really can't find out what is this region from and how this matters.
Is this a bug or was I wrong somewhere? Why it ran fine on my PC but not fargate? Is that because of environment conflict in Fargate? I have been in this trouble for days, any helps will be appreciated. Thanks.
Edit: I figured out, thanks to @Marcin. You should not set any credential or role in Docker running in Fargate task. You need to create a task role with enough AWS permission and assign it to the task. When I ran on local, the code will assume the default profile with role arn so it worked fine.
Again, don't commit any credentials to your code.
Upvotes: 0
Views: 4014
Answers (1)
Reputation: 238687
Based on the comments.
A proposed solution to the authentication issues is to use IAM Roles for Tasks, instead of hard coding access and secret keys into the code or passing them as env variables.
The use of task roles is in line with AWS good practice of not hard coding any credentials and using temporary credentials instead:
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.
Upvotes: 3
Related Questions
- Aws ecs fargate ResourceInitializationError: unable to pull secrets or registry auth
- ECS Fargate Task Container missing AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
- 'exec user process caused: exec format error' in AWS Fargate Service
- Pull AWS credentials in container running on AWS Fargate
- Dockerized NodeJS in Fargate can't generate a working AWS pre-signed URL
- Unable to locate credentials inside fargate container, using Boto3
- STOPPED (CannotPullContainerError: API error (500)?
- Next JS serverless deployment on AWS ECS/Fargate: environment variable issue
- AWS CredentialProviders fail to retrieve credentials in Fargate
- struggle with credentials file