Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running Container as non root user can't write to AWS config file #30

Closed
jrosco opened this issue Mar 13, 2023 · 3 comments
Closed

Running Container as non root user can't write to AWS config file #30

jrosco opened this issue Mar 13, 2023 · 3 comments

Comments

@jrosco
Copy link
Member

jrosco commented Mar 13, 2023

When I try to execute any AWS CLI command as a non-root user while running the k8s-secret-updater, I encounter the error message [Errno 13] Permission denied: '/.aws'.

The application is currently using the following approach for EKS auth:

eks_output = sp.getoutput(f"aws eks get-token --cluster-name {eks_cluster_id} --role {eks_assume_role_arn}")

However, running the application as a non-root user always results in a permission denied error. I have attempted to resolve this issue by setting the environment variable AWS_CONFIG_FILE=/tmp/aws_config and AWS_SHARED_CREDENTIALS_FILE=/tmp/aws_cred, but this did not work.

According to the AWS documentation, the AWS_CONFIG_FILE environment variable specifies the location of the file that the AWS CLI uses to store configuration profiles, and the default path is ~/.aws/config. However, it is not possible to specify this value in a named profile setting or by using a command line parameter.

I am a bit confused by the statement

You can't specify this value in a named profile setting or by using a command line parameter."

It may be necessary to update the Dockerfile to better support non-root user executions. Unless we can think of a better way.

@jrosco
Copy link
Member Author

jrosco commented Mar 13, 2023

I've taken a look at the issue boto/boto3#2309 and found that there is currently no API for EKS get token. However, there is a py module for EKS get token located at https://pypi.org/project/eks-token/, as mentioned in this comment on the issue: boto/boto3#2309 (comment).

By using this py module, we could avoid the need to create a wrapped subprocess for the aws-cli command in our codebase. I plan to test this module and create a pull request if it proves helpful in allowing us to run containers as non-root users.

@jrosco
Copy link
Member Author

jrosco commented Mar 13, 2023

This an issue with aws cache dir not the aws config file

jrosco added a commit to jrosco/charts that referenced this issue Mar 13, 2023
Add volume mount for the aws cache directory. This should fix a issue
when running aws-cli command and getting permission error when running
container as non root user.

See current issue here
fairfaxmedia/k8s-secret-updater#30
@jrosco
Copy link
Member Author

jrosco commented Mar 14, 2023

fairfaxmedia/charts#72 will fix this issue

@jrosco jrosco closed this as completed Mar 14, 2023
jrosco added a commit to fairfaxmedia/charts that referenced this issue Mar 28, 2023
Add volume mount for the aws cache directory. This should fix a issue
when running aws-cli command and getting permission error when running
container as non root user.

See current issue here
fairfaxmedia/k8s-secret-updater#30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant