Reputation: 3867
How to use and mount ~/.aws/credentials to a docker container without changing permissions on ~/.aws/credentials from my host?
I need to mount ~/.aws/credentials onto my docker container, and I have this semi-working but it's too permissive right now. I have some control over the docker container, but it is primarily managed by aws-mwaa-local-runner and I'm trying to change it as little as possible. The user that aws-mwaa-local-runner uses in the container is airflow, group: airflow.
My ~/.aws/credentials is owned by user <my username>, and group: <my company name>. I don't think I should mess with the ownership or group of this file, but if anyone thinks otherwise, lmk. The host I’m running this all from is an EC2 instance which is used for development.
I have successfully got things to work as expected when I change the permissions via chmod 644 on ~/.aws/credentials, but this feels overly permissive on the off chance some other user is able to ssh onto my box.
I've seen relevant posts like this: how to get aws credentials from host workstation, inside docker container
But it doesn't look like I can run as root (at least not easily, and we have tried to avoid this).
The runner is using Docker compose if that helps:
volumes:
- "${PWD}/dags:/usr/local/airflow/dags"
- "${PWD}/plugins:/usr/local/airflow/plugins"
- "${PWD}/requirements:/usr/local/airflow/requirements"
- "${PWD}/startup_script:/usr/local/airflow/startup"
- "~/.aws/credentials:/usr/local/airflow/.aws/credentials:ro"
And for context, yes, I know that I can also just use environment variables and pass them through via AWS_SESSION_TOKEN, AWS_SECRET_KEY_ID etc, but I'm dealing with short-lived credentials here that expire after an hour and we have processes that refresh the credentials periodically and stick them in ~/.aws/credentials so I am trying to use that over using the env variables (which would contain expired credentials after an hour with our current setup).
Also, I know that I could also make a copy of ~/.aws/credentials and then change the permissions on that before mounting it on the docker container, but it would kind of defeat the point because the system we have for updating ~/.aws/credentials would not sync the changes to the temp file that we're mounting to the docker container.
Any help would be appreciated!
Upvotes: 2
Views: 79
Answers (1)
Reputation: 676
The easiest way to resolve this is to get the docker container running with your uid:gid mapped the same inside the container. And then you can docker run --user and its equivalents.
If the above is not feasible,
- If your docker daemon on that EC2 is running with root privileges and you have
sudoaccess, switch to root and use adocker exec -u 0shell to get a root shell. That should get rid of all perm issues :D - If your docker daemon is
rootless, I guess the only option would be to copy it and mount it using a mount type that would always reflect changes in the host directory to the container. Make the copy into a job that works off filesystem events.
Upvotes: 1
Related Questions
- Copying files from Docker container to host
- How to copy files from host to Docker container?
- What is the difference between a Docker image and a container?
- How to rebuild docker container in docker-compose.yml?
- How to copy Docker images from one host to another without using a repository
- How is Docker different from a virtual machine?
- How to get a Docker container's IP address from the host
- How to mount a host directory in a Docker container