- Overview
- Starting the ECS Server
- Environment variables
- Selecting a role via ECS Server
- Assuming a role via ECS Server
- Unloading role credentials
- Storing multiple roles at a time
- Authentication
- HTTPS Transport
AWS provides the ability for ECS Tasks to assume an IAM role
via an HTTP endpoint defined via the AWS_CONTAINER_CREDENTIALS_FULL_URI
shell ENV variable.
All AWS SDK clients using the the same ECS Server container credentials endpoint will utilize the same AWS IAM Role.
The server runs in the foreground to make it easy to start via systemd and Docker.
aws-sso ecs run
Will start the service on localhost:4144
. For security purposes, the aws-sso
ECS Server
will only run on localhost/127.0.0.1. You may select an alternative port via the --port
flag
or setting the AWS_SSO_ECS_PORT
environment variable.
AWS clients and aws-sso
should use:
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/creds
It is important to not set AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
as that takes precidence for AWS_CONTAINER_CREDENTIALS_FULL_URI
and it is not compatible
with aws-sso
.
Before you can assume a role, you must select an IAM role for the aws-sso ecs server to present to clients.
aws-sso ecs load
Will start the interactive profile selector. Or you may specify the --profile
flag or the
--account
and --role
flags to specify the role on the command line.
Note: Subsequent calls to aws-sso ecs load
will alter the current IAM Role
for all AWS Client SDKs using it.
Ensure you have exported the following shell ENV variable:
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/creds
Then just:
aws sts get-caller-identity
should show that you are using the IAM Role you loaded into the ecs server process.
Since only one role can be loaded at any given time in the default slot, there may be times you would like to quickly determine the current role without resorting to an IAM call:
aws-sso ecs profile
will return the currently loaded default profile.
If you would like to remove the default IAM Role credentials:
aws-sso ecs unload
There may be cases where you would like to make multiple roles available at the same time without
running multiple copies of the ECS server via aws-sso ecs run
. Each role is stored in a unique
named slot based on the ProfileName
which is either set via Profile or the
ProfileFormat configuration options.
Specify aws-sso ecs load --slotted ...
and the individual role will be stored in
it's unique named slot based on it's profile name.
Accessing the individual credentials is done via the profile
query parameter:
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/creds?profile=ExampleProfileName
Would utilize the ExampleProfileName
role. Note that the profile
parameter value must be URL Escaped.
To remove a specific IAM Role credential from a named slot in the ECS Server, you can use:
aws-sso ecs unload --profile <profile>
Support for the AWS_CONTAINER_AUTHORIZATION_TOKEN is TBD.
Support for using HTTPS is TBD.