IAM Roles for Tasks

[ollietreend]

Hi,

I'm planning to use yas3fs inside a docker container, which will be run on top of an ECS cluster. I can see from the README that yas3fs supports IAM Roles for EC2. Whilst I'm not familiar with IAM Roles for EC2, I know that there is an equivalent for docker containers running in ECS – namely IAM Roles for Tasks.

From reading the docs, it looks like there are some differences between the two implementations which means that the AWS credentials have to be retrieved slightly differently. Therefore, the existing support for IAM roles which is baked in to yas3fs is not compatible with the ECS implementation of IAM roles.

As a workaround I have considered implementing the retrieval of the AWS credentials in my init script, prior to starting yas3fs. In essence, my plan would be to retrieve the credentials, from which I will be able to pass them in as regular AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables – and yas3fs would work as normal.

However the problem I'm coming up against is the fact that the AWS credentials supplied by IAM Roles are temporary, and will expire after just a few hours. Therefore, I would have to implement some mechanism to kill and restart my yas3fs process with renewed AWS credentials, prior to the old credentials expiring. This additional management overhead will be clunky and reliant on another process to 'remember' to refresh the credentials – it would be much simpler and less error prone for this to be baked in to yas3fs.

Are there any plans to add support for IAM Roles for Tasks?

If not, do you have any suggestions for other workarounds? Unless I can figure something out, I'll have to end up resorting to using long-lived IAM users rather than the magic of IAM roles.

Thanks