Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot get role credentials #118

Open
rsamf opened this issue Dec 2, 2021 · 1 comment
Open

Cannot get role credentials #118

rsamf opened this issue Dec 2, 2021 · 1 comment

Comments

@rsamf
Copy link

rsamf commented Dec 2, 2021

Endpoint /creds works just fine, but when I try to use /role/<role name> like it says in this guide, the ecs-local-endpoints container keeps responding with the error:

ecs-local-endpoints_1  | time="2021-12-02T21:21:07Z" level=error msg="HTTP 500 - InvalidClientTokenId: The security token included in the request is invalid\n\tstatus code: 403, request id: 080b81eb-c67d-4b47-932f-276bb9c1d480"

See my docker-compose.override.yml:

version: "2"
networks:
    # This special network is configured so that the local metadata
    # service can bind to the specific IP address that ECS uses
    # in production
    credentials_network:
        driver: bridge
        ipam:
            config:
                - subnet: "169.254.170.0/24"
                  gateway: 169.254.170.1
services:
    # This container vends credentials to your containers
    ecs-local-endpoints:
        # The Amazon ECS Local Container Endpoints Docker Image
        image: amazon/amazon-ecs-local-container-endpoints:1.4.0-amd64
        volumes:
          # Mount /var/run so we can access docker.sock and talk to Docker
          - /var/run:/var/run
          # Mount the shared configuration directory, used by the AWS CLI and AWS SDKs
          # On Windows, this directory can be found at "%UserProfile%\.aws"
          - $HOME/.aws/:/home/.aws/
        environment:
          # define the home folder; credentials will be read from $HOME/.aws
          HOME: "/home"
          # You can change which AWS CLI Profile is used
          AWS_PROFILE: "default"
        networks:
            credentials_network:
                # This special IP address is recognized by the AWS SDKs and AWS CLI 
                ipv4_address: "169.254.170.2"
                
    # Here we reference the application container that we are testing
    # You can test multiple containers at a time, simply duplicate this section
    # and customize it for each container, and give it a unique IP in 'credentials_network'.
    app:
        depends_on:
            - ecs-local-endpoints
        networks:
            credentials_network:
                ipv4_address: "169.254.170.3"
        environment:
          AWS_DEFAULT_REGION: "us-gov-west-1"
          AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: "/role/test-role"

Extra info: I'm operating with an assumed role session principal. I.e., when I get my caller identity on the host, I get:

$ aws sts get-caller-identity
{
    "UserId": "XXXXXXXXXX",
    "Account": "XXXXXXXXXX",
    "Arn": "arn:aws-us-gov:sts::XXXXXXXXXX:assumed-role/PowerUsers/XXXXXXXXXX"
}
@javiortizmol
Copy link

Hey, any updates about this, aws team? This is great tool but if you don't maintain it, the effort building it will lose.

@dmacbale-cas dmacbale-cas mentioned this issue Mar 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rsamf @javiortizmol