amazon-ecs-agent icon indicating copy to clipboard operation
amazon-ecs-agent copied to clipboard
verified publisher icon aws

Prioritize ssm creds for linux

Open sidlovskyy opened this issue 1 year ago • 5 comments

Summary

In Linux environment credentials priority is set to:

  1. Env vars (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).
  2. Shared credentials file
  3. EC2 role credentials.
  4. Rotating shared credentials file located at /rotatingcreds/credentials

When ECS Agent (in case of ECS Anywhere) is installed on EC2 instance of other AWS account with IAM Role attached, EC2 Role credentials are prioritized over rotating credentials which means SSM Agent credentials won't be used. As far as there is no way to change credentials providers priority it's not possible to make ECS Agent use SSM Agent rotating credentials. It makes usage of ECS Anywhere hardly possible when external instance is part of other AWS Account with EC2 IAM Role credentials attached. It may not be possible to modify EC2 Role credentials due to policies in external AWS Account.

It makes sense to prioritize rotating credentials over EC2 Role credentials in case ECS Agent is installed on external instance. Please note, similar behavior is implemented for Windows: https://github.com/aws/amazon-ecs-agent/blob/b702281f0f6aa2fba5614050769aa337d1456853/ecs-agent/credentials/instancecreds/instancecreds_windows.go#L54

Alternatively, it would be great if credentials providers priority could be re-configured by additional config variable.

Implementation details

In Linux environment when ECS_EXTERNAL variable is set to true RotatingSharedCredentialsProvider is prioritized over EC2RoleProvider so that SSM Agent credentials are prioritized over EC2 Role credentials.

Testing

New tests cover the changes: no

Description for the changelog

Prioritize RotatingSharedCredentialsProvider over EC2RoleProvider instance credentials provider for external instances in Linux

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

sidlovskyy avatar Apr 24 '24 13:04 sidlovskyy

Thanks for the contribution @sidlovskyy . I see that this change was made for Windows in https://github.com/aws/amazon-ecs-agent/pull/3184. I am trying to find out why Linux was not considered in-scope at that time.

amogh09 avatar May 06 '24 19:05 amogh09

Thanks for the contribution @sidlovskyy . I see that this change was made for Windows in #3184. I am trying to find out why Linux was not considered in-scope at that time.

I talked to some folks about this. We don't have a good reason as to why #3184 did not make the same change for Linux. It makes sense for the instance credentials fetch logic to be platform agnostic.

amogh09 avatar May 06 '24 20:05 amogh09

Thanks for the contribution @sidlovskyy . I see that this change was made for Windows in #3184. I am trying to find out why Linux was not considered in-scope at that time.

I talked to some folks about this. We don't have a good reason as to why #3184 did not make the same change for Linux. It makes sense for the instance credentials fetch logic to be platform agnostic.

Thank you, should I update PR to include platform agnostic instancecreds.go that is the same as existing windows implementation?

sidlovskyy avatar May 07 '24 17:05 sidlovskyy

Hey @amogh09 and all guys - @sidlovskyy has sadly moved on from this project, but my team is still interested in this. Any updates?

jhoward-ts avatar Aug 04 '24 14:08 jhoward-ts