aws_config

Module ecs

Source
Expand description

Ecs Credentials Provider

This credential provider is frequently used with an AWS-provided credentials service (e.g. IAM Roles for tasks). However, it’s possible to use environment variables to configure this provider to use your own credentials sources.

This provider is part of the default credentials chain.

§Configuration

First: It will check the value of $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. It will use this to construct a URI rooted at http://169.254.170.2. For example, if the value of the environment variable was /credentials, the SDK would look for credentials at http://169.254.170.2/credentials.

Next: It will check the value of $AWS_CONTAINER_CREDENTIALS_FULL_URI. This specifies the full URL to load credentials. The URL MUST satisfy one of the following three properties:

  1. The URL begins with https
  2. The URL refers to an allowed IP address. If a URL contains a domain name instead of an IP address, a DNS lookup will be performed. ALL resolved IP addresses MUST refer to an allowed IP address, or the credentials provider will return CredentialsError::InvalidConfiguration. Valid IP addresses are: a) Loopback interfaces b) The ECS Task Metadata V2 address ie 169.254.170.2. c) EKS Pod Identity addresses ie 169.254.170.23 or fd00:ec2::23

Next: It will check the value of $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE. If this is set, the filename specified will be read, and the value passed in the Authorization header. If the file cannot be read, an error is returned.

Finally: It will check the value of $AWS_CONTAINER_AUTHORIZATION_TOKEN. If this is set, the value will be passed in the Authorization header.

§Credentials Format

Credentials MUST be returned in a JSON format:

{
   "AccessKeyId" : "MUA...",
   "SecretAccessKey" : "/7PC5om....",
   "Token" : "AQoDY....=",
   "Expiration" : "2016-02-25T06:03:31Z"
 }

Credentials errors MAY be returned with a code and message field:

{
  "code": "ErrorCode",
  "message": "Helpful error message."
}

Structs§