Access denied when using ECS task IAM role

[malekascha]

I'm using the sdk to interact with s3. I have my application running in a container on ECS. When I assign an IAM role directly to the task that my ruby app is running on, it fails to detect the credentials and I get an access denied whenever I try to use the s3 client. It works fine when I bind the role to the EC2 instance that it's running on.

[awood45]

The default credential provider chain forks between the ECS Credential Provider and the EC2 Credential Provider. If putting credentials on the instance fixed the issue, my suspicion is that the ENV variable isn't present in the container.

Can you double check that the credential provider feature flag is on?

On Oct 5, 2016, at 5:30 PM, Malek Ascha notifications@github.com wrote:

I'm using the sdk to interact with s3. I have my application running in a container on ECS. When I assign an IAM role directly to the task that my ruby app is running on, it fails to detect the credentials and I get an access denied whenever I try to use the s3 client. It works fine when I bind the role to the EC2 instance that it's running on.

―
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[malekascha]

How would I make sure that the flag is on? Is that something I would configure from the AWS console, or would it be in my Ruby code?

[awood45]

Documentation is here.

The SDK is looking for the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable. If you're able to use EC2 instance metadata credentials, then that ENV variable is not present.

[awood45]

Did this resolve your issue, or does the issue persist?

[malekascha]

Yes, it did. Thanks!