By using AWS re:Post, you agree to the Terms of Use
/Docker is not able to pick IAM role when running on EC2 instance/

Docker is not able to pick IAM role when running on EC2 instance


I am using below code to publish message to SNS.

AmazonSNSclient snsClient=null;
snsClient.publish(topicAr,"Sample SNS Message");

This code is inside a java servlet and it's war is deployed using docker on EC2 instance. The issue is docker is unable to pick the IAM role from Ec2 instance hence failing to publish a message to SNS

Background: When I am running the above code via EC2 instance terminal, I am able to publish message. But When I am putting this code in java servlet based application and deploying the war of it on Docker, It is not able to publish the message because it is not getting IAM role.

Error message is in the screen short.

1 Answers

This is most likely related to security feature around the EC2 metadata services. By default only the EC2 instance itself can query it as our hop limit (time to live) is set to 1. When you run an application inside a Docker daemon on Linux you are adding a hop (Docker bridge etc. add routing element to the traffic flow, aka a hop causing the time to live value to be decreased by one). You need to change the Metadata Response Hop limit to 2 on your EC2 instances. More information here. Note: The EC2 instance role would be accessible by all the containers running on this instance.

As a side note, have you considered using Elastic Container Services to run your Linux containers? Then you wouldn't need to maintain the Docker and related settings your self. The containers could get individually assigned IAM roles instead of using the EC2 instance role.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions