amazon-ecs-local-container-endpoints icon indicating copy to clipboard operation
amazon-ecs-local-container-endpoints copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Cannot get role credentials

Open rsamf opened this issue 3 years ago • 1 comments

Endpoint /creds works just fine, but when I try to use /role/<role name> like it says in this guide, the ecs-local-endpoints container keeps responding with the error:

ecs-local-endpoints_1  | time="2021-12-02T21:21:07Z" level=error msg="HTTP 500 - InvalidClientTokenId: The security token included in the request is invalid\n\tstatus code: 403, request id: 080b81eb-c67d-4b47-932f-276bb9c1d480"

See my docker-compose.override.yml:

version: "2"
networks:
    # This special network is configured so that the local metadata
    # service can bind to the specific IP address that ECS uses
    # in production
    credentials_network:
        driver: bridge
        ipam:
            config:
                - subnet: "169.254.170.0/24"
                  gateway: 169.254.170.1
services:
    # This container vends credentials to your containers
    ecs-local-endpoints:
        # The Amazon ECS Local Container Endpoints Docker Image
        image: amazon/amazon-ecs-local-container-endpoints:1.4.0-amd64
        volumes:
          # Mount /var/run so we can access docker.sock and talk to Docker
          - /var/run:/var/run
          # Mount the shared configuration directory, used by the AWS CLI and AWS SDKs
          # On Windows, this directory can be found at "%UserProfile%\.aws"
          - $HOME/.aws/:/home/.aws/
        environment:
          # define the home folder; credentials will be read from $HOME/.aws
          HOME: "/home"
          # You can change which AWS CLI Profile is used
          AWS_PROFILE: "default"
        networks:
            credentials_network:
                # This special IP address is recognized by the AWS SDKs and AWS CLI 
                ipv4_address: "169.254.170.2"
                
    # Here we reference the application container that we are testing
    # You can test multiple containers at a time, simply duplicate this section
    # and customize it for each container, and give it a unique IP in 'credentials_network'.
    app:
        depends_on:
            - ecs-local-endpoints
        networks:
            credentials_network:
                ipv4_address: "169.254.170.3"
        environment:
          AWS_DEFAULT_REGION: "us-gov-west-1"
          AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "/role/test-role"

Extra info: I'm operating with an assumed role session principal. I.e., when I get my caller identity on the host, I get:

$ aws sts get-caller-identity
{
    "UserId": "XXXXXXXXXX",
    "Account": "XXXXXXXXXX",
    "Arn": "arn:aws-us-gov:sts::XXXXXXXXXX:assumed-role/PowerUsers/XXXXXXXXXX"
}

rsamf avatar Dec 02 '21 21:12 rsamf

Hey, any updates about this, aws team? This is great tool but if you don't maintain it, the effort building it will lose.

javiortizmol avatar Jan 07 '22 02:01 javiortizmol