amazon-ecs-agent icon indicating copy to clipboard operation
amazon-ecs-agent copied to clipboard

Published 20 hours ago verified publisher icon aws

Allow alternate credential profiles to be specified

Open dunka opened this issue 2 years ago • 6 comments

Summary

The ecs-agent uses the "default" profile from root and does not provide an option to specify an alternative.

Description

In some cases credentials are present under an alternate profile name in the root credentials file (/root/.aws/credentials). It would be great if we could pass a config flag to use an alternate profile name.

This seems like it should be a straight forward feature, changing the hard coded https://github.com/aws/amazon-ecs-agent/blob/master/agent/credentials/providers/rotating_shared_credentials_provider.go#L48 to read from a config option and of course updating the bits around reading and passing around the option from the ecs.config.

It could default to "default" to ensure existing users don't have to change anything.

dunka avatar Jun 04 '22 00:06 dunka

Hello, thanks for opening this issue, I can confirm that specifying a custom profile for the SSM agent (via https://github.com/aws/amazon-ssm-agent#config-property-definitions) will cause problems since we hardcoded this cred provider to use "default".

To solve this we would need to add a config var called something like ECS_EXTERNAL_CREDENTIAL_PROFILE="default"

sparrc avatar Jun 06 '22 23:06 sparrc

If the hardcoded default profile is removed, the SharedCredentialsProvider will honor the standard AWS_PROFILE environment variable, or it will choose "default" if not set. AWS_PROFILE can be set in /etc/ecs/ecs.config

https://github.com/aws/amazon-ecs-agent/pull/3326

sunds avatar Aug 03 '22 17:08 sunds

https://github.com/aws/amazon-ecs-agent/pull/3360 <- I did a quick rebase or your 3326 pr against the head of dev and am running functional tests. Even with the assurance that the SDK will assume 'default' we'll still want to build in a config var to make sure this is always set.

fierlion avatar Aug 25 '22 19:08 fierlion 

--- FAIL: TestGMSAWithS3CredentialSpec (35.31s)
--- FAIL: TestV3TaskEndpointDefaultMode (356.62s)
--- FAIL: TestEnvFilePrecedence2EnvFiles (326.54s)
--- FAIL: TestEnvFilePrecedenceTaskDefEnvironment (56.01s)

this failed a subset of windows functional tests.

I'll work out a revision with the config var and run the tests again.

fierlion avatar Aug 25 '22 22:08 fierlion

Thanks for this. Your approach is the better one.

sunds avatar Aug 26 '22 15:08 sunds

Note the above change was merged and will go out with the next release. Will close this ticket once the release is completed.

fierlion avatar Aug 29 '22 21:08 fierlion

Hi,

Since this has been released, I am closing the issue. Kindly reopen if the issues persists.

Thanks

ubhattacharjya avatar Nov 02 '22 23:11 ubhattacharjya