skip to Main Content

I’ve run into a frustrating edge case that I’m now having to either introduce custom logic to work around or solve properly.

I’m running a Django application inside a Docker container on EC2. I’m using an IAM role attached to the instance to grant it access to a particular S3 bucket and set of actions. This is all working well and I can confirm that Boto3 can authenticate using the IAM role and access the bucket as expected when Python is run directly on the instance.

However, when Python is running inside a Docker container on the same instance, Boto3 is unable to use that same implicit authentication strategy. I have configured the EC2 instance to use IMDSV2, required token auth and increased the allowed number of hops (currently 63 while I’m messing with this but ideally 2-3). What’s particularly odd is that I’m able to access the IMDSV2 endpoint and manually request a token from within the container using Curl or within Python using Requests and thread the token through to Boto and access the S3 bucket as desired.

The downside to manually fetching the token is that I need to implement my own caching/session refresh strategy or suffer the runtime burden of constantly requesting a new token. It’s also not entirely clear to me when the Boto3 session expires: is it when the IMDVS2 token expires or at some other arbitrary point?

So, before I implement a cache/retry strategy of my own, is there something obvious I’m missing here which should enable this all to work?

I’m using Boto3 1.34.146, Docker 27 and Docker Compose 2.29.1 and running on Ubuntu 22.04.3. Happy to provide any additional context or specifics.

2

Answers


  1. Make sure your Docker container can access the EC2 instance metadata by running the container with the host network mode.

    docker run --network host your_image
    
    Login or Signup to reply.
  2. You may be limited in the ammount of hops you can make from the docker container to the metadata host outside of your machine, check this:

    Using IMDS (v2) with token inside docker on EC2 or ECS

    To change the hop limit, you can use modify-instance-metadata-options in awscli:

    aws ec2 modify-instance-metadata-options 
        --instance-id <instance_id> 
        --http-put-response-hop-limit 2 
        --http-endpoint enabled
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search