By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Different AWS CLI identity when running script via Java's Runtime.getRuntime() inside AWS ECS node that runs a Spring Boot app

0

I have the following setup:

  • A docker image on which Java 17 and AWS CLI v2 are installed.
  • The docker image also contains:
    • A Spring Boot app
    • A /test-identity.sh script that executes only aws sts get-caller-identity inside.
  • The image is deployed in AWS ECS and there is a task execution role and an EC2 instance role defined in IAM for the task and the service.

When I use the AWS SDK for Java within the Java code, then that is using the credentials of the task role, as expected.

I perform the following two tests:

  1. I SSH into the ECS node and I execute the following:

docker exec -it e15f498e4ca0 /bin/bash

/test-identity.sh

  1. I add some Java code in the Spring Boot like the following:

Runtime.getRuntime().exec("/bin/bash", "-lc", "/test-identity.sh")

The result of test #1 is different than #2. The output of test #1 gives me the service's task role (as exepcted) while the output of #2 gives me the EC2 instance role (not expected).

My goal is to make #2 output the task role too, since I want that script to use the same credentials as the Java code (when run via Java code).

Is this possible?

Topics
ComputeContainersSecurity, Identity, & ComplianceDevOps
Tags
Amazon EC2Amazon Elastic Container ServiceAWS IAM Identity CenterDevOps
Language
English
Meletis Margaritis
asked 7 months ago216 views
1 Answer
0

Hi,

You probably want to do 2 things to understand your situation:

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content