This git repo provides AWS CLI from PIP in a Docker container.
An updated version of this image is generally available within an hour or so after a new version of awscli becomes available. See below for more details.
Table of Contents
The AWS Command Line Interface (CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
This repo provides a way to build AWS CLI into a docker image and run it as a container.
The repo is set up to install the software in a minimal image.
An unattended test harness runs the build script and runs acceptance tests. If all tests pass on master branch in the unattended test harness, it pushes the built images to the Docker hub.
We run a parameterized build on CircleCI once per hour. When there is a new version of awscli on pip, we build and publish a new image.
-
For issues with the Docker image build of this git repo: https://github.com/jumanjihouse/docker-aws/issues
-
For security issues with the upstream awscli: https://aws.amazon.com/security/contact/
To contribute enhancements to this repo, please see
CONTRIBUTING.md
in this repo.
These images are built as part of the test harness on CircleCI. If all tests pass on master branch, then the image is pushed into the docker hub.
docker pull jumanjiman/aws
The optimistic "latest" tag always points to the latest stable version.
In general, you should prefer to use a pessimistic (i.e., specific) tag.
We provide multiple tags:
- optimistic:
jumanjiman/aws:latest
- pessimistic:
jumanjiman/aws:<version>-<builddate>-git-<hash>
- unstable v2:
jumanjiman/aws:2.0.0dev0-<builddate>-git-<hash>
Example:
jumanjiman/aws:1.11.117-20170707T1040-git-ab34c6e
^^^^^^^^ ^^^^^^^^^^^^^ ^^^^^^^
| | |
| | +--> hash from this git repo
| |
| +-----------------> build date and time
|
+---------------------------> version of awscli
These tags allow to correlate any image to the application version, the build date and time, and the git commit from this repo that was used to build the image.
We push the tags automatically from the test harness, and
we occasionally delete old tags from the Docker hub by hand.
See https://hub.docker.com/r/jumanjiman/aws/tags/ for released tags.
Each built image has labels that generally follow http://label-schema.org/
We add a label, ci-build-url
, that is not currently part of the schema.
This extra label provides a permanent link to the CI build for the image.
View the ci-build-url label on a built image:
docker inspect \
-f '{{ index .Config.Labels "io.github.jumanjiman.ci-build-url" }}' \
jumanjiman/aws
Query all the labels inside a built image:
docker inspect jumanjiman/aws | jq -M '.[].Config.Labels'
See the official AWS CLI docs for how to persist configuration in a file. Otherwise, see below to use environment variables.
Interactively:
docker run --rm -it \
-e AWS_ACCESS_KEY_ID=<snip> \
-e AWS_SECRET_ACCESS_KEY=<snip> \
-e AWS_DEFAULT_REGION=us-west-2 \
--read-only \
--cap-drop all \
jumanjiman/aws ec2 describe-instances
As a simplification, add this to your ~/.bashrc
:
# Use a remote docker host.
export DOCKER_HOST='tcp://192.168.254.162:2375'
# Put your secrets in the redacted values.
export AWS_ACCESS_KEY_ID=redacted
export AWS_SECRET_ACCESS_KEY=redacted
export AWS_DEFAULT_REGION=redacted
function aws {
docker run --rm -it \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_DEFAULT_REGION \
--read-only \
--cap-drop all \
jumanjiman/aws $@
}
Then source ~/.bashrc
and simply run aws <your args>
.
The above example uses --read-only
and --cap-drop all
as recommended by the
CIS Docker Security Benchmarks:
Build an image locally on a host with Docker:
# Latest stable version ("optimistic").
ci/build
# A specific version ("pessimistic").
VERSION='1.16.19' ci/build
# The unstable development version ("v2").
# https://aws.amazon.com/blogs/developer/aws-cli-v2-development/
VERSION='2.0.0dev0' ci/build
Run a container interactively from the built image:
docker run --rm -it jumanjiman/aws
See TESTING.md in this git repo.
All files in this repo are subject to LICENSE.md (also in this repo).