Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Using AWS credentials from OIDC provider inside a Docker container

I have a GitHub workflow, in which I am running a container, and in that container a set of tests that require access to private AWS S3. Trouble is, inside the container I am getting an error about missing credentials, while outside all is well.

Here’s how I configure the credentials:

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: "arn:aws:iam::ACCOUNTID:role/MYROLE"
        aws-region: "us-east-1"

Now if I access my S3 bucket from the workflow, it works just fine:

    - name: Test S3 credentials
      run: aws s3 ls s3://misery/

However, the same within a Docker container will result in an error:

    - name: Run tests in Docker container
      run: docker run my-image /bin/bash -c "aws s3 ls s3://misery/"

Reading this SO post, I thought getting the credentials should happen automagically, but apparently I am missing something. Any clues?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Turns out one way to pass the credentials is pass them as environmental variables. The latter are produced by aws-actions/configure-aws-credentials@v4 and available under env.

    Example:

    - name: Run tests
  run: |
    docker run 
      -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} 
      -e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} 
      -e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} 
      -e AWS_REGION="us-east-1" 
      run: docker run my-image /bin/bash -c "aws s3 ls s3://misery/"

    Importantly, this would NOT work:

    - name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: "arn:aws:iam::ACCOUNTID:role/MYROLE"
    aws-region: "REGION"
    output-credentials: true

- name: Run tests
  run: |
    docker run 
       -e AWS_ACCESS_KEY_ID=${{ steps.creds.outputs.aws-access-key-id }} 
       -e AWS_SECRET_ACCESS_KEY=${{ steps.creds.outputs.aws-secret-access-key }} 
       -e AWS_REGION="REGION" 
      run: docker run my-image /bin/bash -c "aws s3 ls s3://misery/"

    When printing steps.creds.outputs, it would come up empty.


  2. 0

    You can indeed use the aws-actions/configure-aws-credentials action with your AWS IAM ROLE, as it generates the following outputs automatically:

    • AWS ACCOUNT IT,
    • AWS ACCESS KEY ID,
    • AWS SECRET ACCESS KEY,
    • AWS SESSION TOKEN.

    Doing so, you can use those outputs as environment variables through the docker run command.

    Here is an example regarding how to achieve this by using outputs from the Configure aws credentials step (using the id aws-cred reference), in the Run tests step:

        - name: Configure aws credentials
      id: creds
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: "arn:aws:iam::ACCOUNTID:role/MYROLE"
        aws-region: "us-east-1"
        output-credentials: true

    - name: Run tests
      run: |
         docker run 
         -e AWS_ACCESS_KEY_ID=${{ steps.creds.outputs.aws-access-key-id }} 
         -e AWS_SECRET_ACCESS_KEY=${{ steps.creds.outputs.aws-secret-access-key }} 
         -e AWS_SESSION_TOKEN=${{ steps.creds.outputs.aws-session-token }} 
         -e AWS_REGION="us-east-1" 
         my-image /bin/bash -c "aws s3 ls s3://misery/"
      shell: bash

    Note that if you are using a self hosted runner with AWS credentials already managed there, you can directly inform the environment variables from the Github Context. Example:

    - name: Run tests
  run: |
    docker run 
    -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} 
    -e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} 
    -e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} 
    -e AWS_REGION="us-east-1" 
    my-image /bin/bash -c "aws s3 ls s3://misery/"
  shell: bash
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search