Prioritize ssm creds for linux #4155
Conversation
… prioritized over EC2 instance role ones
|
Thanks for the contribution @sidlovskyy . I see that this change was made for Windows in #3184. I am trying to find out why Linux was not considered in-scope at that time. |
| // | ||
| // In the case of external instance `RotatingSharedCredentialsProvider` provider should be prioritized over | ||
| // `EC2RoleProvider` one as SSM credentials are going to be ignored in case agent is deployed to EC2 | ||
| // with instance role which doesn't have permissions needed to run ECS Agent | ||
| func GetCredentials(isExternal bool) *credentials.Credentials { |
There was a problem hiding this comment.
Looks like this change makes GetCredentials implementation for Linux identical to that of Windows. I think we should merge the two into a single instancecreds/instancecreds.go file.
There was a problem hiding this comment.
In the meanwhile I will reproduce this issue on my end. Once the PR is ready I can verify that the change works by testing it in the same environment.
There was a problem hiding this comment.
I was able to reproduce the issue on my end.
I talked to some folks about this. We don't have a good reason as to why #3184 did not make the same change for Linux. It makes sense for the instance credentials fetch logic to be platform agnostic. |
Thank you, should I update PR to include platform agnostic |
|
Hey @amogh09 and all guys - @sidlovskyy has sadly moved on from this project, but my team is still interested in this. Any updates? |
Summary
In Linux environment credentials priority is set to:
When ECS Agent (in case of ECS Anywhere) is installed on EC2 instance of other AWS account with IAM Role attached, EC2 Role credentials are prioritized over rotating credentials which means SSM Agent credentials won't be used.
As far as there is no way to change credentials providers priority it's not possible to make ECS Agent use SSM Agent rotating credentials. It makes usage of ECS Anywhere hardly possible when external instance is part of other AWS Account with EC2 IAM Role credentials attached. It may not be possible to modify EC2 Role credentials due to policies in external AWS Account.
It makes sense to prioritize rotating credentials over EC2 Role credentials in case ECS Agent is installed on external instance. Please note, similar behavior is implemented for Windows:
amazon-ecs-agent/ecs-agent/credentials/instancecreds/instancecreds_windows.go
Line 54 in b702281
Alternatively, it would be great if credentials providers priority could be re-configured by additional config variable.
Implementation details
In Linux environment when
ECS_EXTERNALvariable is set totrueRotatingSharedCredentialsProvideris prioritized overEC2RoleProviderso that SSM Agent credentials are prioritized over EC2 Role credentials.Testing
New tests cover the changes: no
Description for the changelog
Prioritize
RotatingSharedCredentialsProvideroverEC2RoleProviderinstance credentials provider for external instances in LinuxLicensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.