amazon-eks-pod-identity-webhook icon indicating copy to clipboard operation
amazon-eks-pod-identity-webhook copied to clipboard

Published 20 hours ago verified publisher icon aws

Unable to pass the credentials to docker inside docker

Open shardulsrivastava opened this issue 4 years ago • 4 comments

What happened: M running a pod with a service account(annotated with a role). Inside the pods these environment variables are mounted :

AWS_WEB_IDENTITY_TOKEN_FILE AWS_REGION AWS_ROLE_ARN

inside the pod, when m trying to run a docker command like this :

docker run --rm \
    -e AWS_WEB_IDENTITY_TOKEN_FILE \
    -e AWS_REGION \
    -e AWS_ROLE_ARN \
    -v "/var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token" \
    node:10.13-alpine \
    sh -c "sls deploy"

it is unable to use this credentials, looks like this path can't be mounted corretly:

/var/run/secrets/eks.amazonaws.com/serviceaccount/token

What you expected to happen: docker command on the pod should run successfully.

How to reproduce it (as minimally and precisely as possible): Follow this to setup EKS IAM service account and then run the above docker run command.

Anything else we need to know?:

Environment:

  • AWS Region: ap-southeast-1
  • EKS Platform version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.9
  • Kubernetes version (if using EKS, run aws eks describe-cluster --name <name> --query cluster.version): 1.14
  • Webhook Version:

shardulsrivastava avatar Mar 21 '20 18:03 shardulsrivastava

Are you running a docker daemon inside your pod or using the host's docker?

micahhausler avatar Apr 02 '20 21:04 micahhausler

@micahhausler m using host docker.

shardulsrivastava avatar Apr 03 '20 07:04 shardulsrivastava

I'm also trying to get containers to "inherit" the IAM roles of the pods they're running in. @shardulsrivastava did you happen to find a way to accomplish this?

Edit for anyone who comes across this: I'm fairly sure it didn't work the last time I tried a few months ago, but it seems that docker run -v "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" -e AWS_ROLE_ARN -e AWS_DEFAULT_REGION -e AWS_WEB_IDENTITY_TOKEN_FILE does the trick now :+1:

soulshake avatar Jul 09 '21 15:07 soulshake

I wasn't able to mount the AWS_WEB_IDENTITY_TOKEN_FILE file because of the directory structure it has. AWS_WEB_IDENTITY_TOKEN_FILE is a symlink and docker does not follow them during the mount. So I ended up copying the AWS_WEB_IDENTITY_TOKEN_FILE token to the docker image during the build and then passing the AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN environment variables to container

jradikk avatar Nov 18 '21 13:11 jradikk