Docker is not able to pick IAM role when running on EC2 instance
I am using below code to publish message to SNS.
AmazonSNSclient snsClient=null;
snsClient=AmazonSNSClientBuilder.standard.withRegion("us-east-2").build();
snsClient.publish(topicAr,"Sample SNS Message");
This code is inside a java servlet and it's war is deployed using docker on EC2 instance. The issue is docker is unable to pick the IAM role from Ec2 instance hence failing to publish a message to SNS
Background: When I am running the above code via EC2 instance terminal, I am able to publish message. But When I am putting this code in java servlet based application and deploying the war of it on Docker, It is not able to publish the message because it is not getting IAM role.
Error message is in the screen short. https://i.stack.imgur.com/kdIfd.png
This is most likely related to security feature around the EC2 metadata services. By default only the EC2 instance itself can query it as our hop limit (time to live) is set to 1. When you run an application inside a Docker daemon on Linux you are adding a hop (Docker bridge etc. add routing element to the traffic flow, aka a hop causing the time to live value to be decreased by one). You need to change the Metadata Response Hop limit to 2 on your EC2 instances. More information here. Note: The EC2 instance role would be accessible by all the containers running on this instance.
As a side note, have you considered using Elastic Container Services to run your Linux containers? Then you wouldn't need to maintain the Docker and related settings your self. The containers could get individually assigned IAM roles instead of using the EC2 instance role.
Relevant questions
Not able to use IAM role assigned to EC2 instance at startup
asked 2 years agoMy IAM role is not listed when trying to create a new EC2 instance
asked 5 months agoChanging IAM Role on EC2 instance: Internal Error
asked 2 years agoBotocore not able to use credentials on EC2 instance
asked a year agoAWS Sns Publish method is not working when application deployed using docker container
asked 3 months agoDid not have IAM permissions to process tags on AWS::EC2::Instance resource
asked a year agoLimit which IAM roles can be attached to an EC2 instance by different IAM users
asked 7 months agoUnable to delete IAM Role
asked 4 months agoAccess secrets from secrets manager into the code the running EC2 docker
asked 2 months agoDocker is not able to pick IAM role when running on EC2 instance
asked 3 months ago