Docker containers seem to "inherit" the ec2 host instance profile. How?

Question

Docker containers seem to "inherit" the ec2 host instance profile. How?

We have a docker container running on ec2 host. Inside this docker container, we run some aws cli commands. We did not identify any AWS credentials in the container. This means that the container inherits an instance of the ec2 host profile.

Is my assumption correct? If so, how exactly does the container inherit instance profile credentials? Secondly (possibly related), what exactly does aws cli do to get instance profile credentials? Does it make a metadata endpoint call (169.254.169.254)? For example, if the credentials are taken from environment variables, the credentials are hardcoded and can be seen, but where are the credentials for the instance profile really stored?

+5

docker amazon-web-services amazon-ec2 credentials

n00b Feb 19 '16 at 0:12

source share

1 answer

tedder42 · Accepted Answer · 2016-02-19T03:31:21+0000

Right, credentials have a host computer. It gets them from the endpoint of the metadata, as you suspected.

One solution / workaround for narrower access is ec2metadataproxy . I haven't used it yet.

Unfortunately, access to the security group is also based on the host container.

Docker containers seem to "inherit" the ec2 host instance profile. How?

More articles: