get AWS credentials from within ECS container to make AWS API calls

Question

Hi team,

My application runs on ECS fargate.

This application uses some AWS clients for services such as S3, SES, SQS, SNS...

These services are accessed by my application through

accessKeyId and secretAccessKey credentials (for MyappIamUser), which are configured as secret environment variables on my ECS container (read from secret manager ).

My app needs to be migrated to another AWS account where I cannot create any IAM user.

How can my application running on ECS fargate get credentials to access AWS services via clients: S3, SES, SQS, SNS ...?

can I use this : https://www.npmjs.com/package/@aws-sdk/credential-providers ?

fromContainerMetadata ()

thank you.

Accepted Answer

Please take a look at this document - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

It is the recommended way using IAM roles rather than passing AWS user credentials to your containers directly

Answer

[ECS task role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) can be used instead of the referenced npm module as it provides benefits like credential isolation, Authorization, Audability

Answer

You should consider using ECS task role instead of embedding keys as environment variables, which is not secured and hard to manage.

get AWS credentials from within ECS container to make AWS API calls

Relevanter Inhalt