How to access environmental variables on a Fargate ECS Task as a non-root user?


In our docker file we specify a user using the USER directive as we'd like to run the task as a non-root user. As we understand this is common good practise. However, the enironmental variables set by Fargate are not visible to this user. How to resolve this?

2 Answers

The AWS documentation indicates that the environment variables are passed in through the docker run --env invocation. This leads me to believe that the answer to your question might be on the docker side.

I was looking for something similar and found this conversation, it may apply to your situation here:

Essentially, the USER directive is not expected to have an impact on which environment variables are accessible from the docker side.

Are you doing anything with sudo ?

profile picture
answered 2 years ago

As a general rule, the USER directive will not have any impact on your environment variables.

Environment variables in Linux are inherited by each process from its parent process. This happens automatically unless something specifically overrides this behavior.

Here are some things to check:

  • Have you confirmed that the environment variables are visible to the root user?
  • Are you (or the service you're starting) employing any special privilege dropping or security practices that might be intentionally filtering environment variables?
  • Are you following the "One Process per Container" best practice for Docker containers? (If not, this can make it harder to troubleshoot this kind of problem.)
  • In your Dockerfile, are you introducing any wrappers or startup commands that might be creating an overly-complex process tree? (This would increase the chances that some environment variables are being swallowed by a layer of indirection or security.)

If all else fails, run the container locally and inspect the process environments directly (on the host) by checking /proc/$PID/environ. You can see where the environment variables are getting stripped by looking in there.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions