By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

get AWS credentials from within ECS container to make AWS API calls

0

Hi team,

My application runs on ECS fargate.

This application uses some AWS clients for services such as S3, SES, SQS, SNS...

These services are accessed by my application through

accessKeyId and secretAccessKey credentials (for MyappIamUser), which are configured as secret environment variables on my ECS container (read from secret manager ).

My app needs to be migrated to another AWS account where I cannot create any IAM user.

How can my application running on ECS fargate get credentials to access AWS services via clients: S3, SES, SQS, SNS ...?

can I use this : https://www.npmjs.com/package/@aws-sdk/credential-providers ?

fromContainerMetadata ()

thank you.

Topics
ServerlessContainersMicroservicesSecurity, Identity, & Compliance
Tags
AWS FargateAmazon Elastic Container ServiceContainersMicroservicesIAM Policies
Language
English
Jess
asked 2 years ago4696 views
3 Answers
3
Accepted Answer

Please take a look at this document - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

It is the recommended way using IAM roles rather than passing AWS user credentials to your containers directly

profile pictureAWS
EXPERT
Indranil Banerjee AWS
answered 2 years ago
profile pictureAWS
EXPERT
Chris_G
reviewed 2 years ago
0

You should consider using ECS task role instead of embedding keys as environment variables, which is not secured and hard to manage.

rePost-User-2063218
answered 2 years ago
0

ECS task role can be used instead of the referenced npm module as it provides benefits like credential isolation, Authorization, Audability

profile pictureAWS
EXPERT
PiyushMattoo
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content