ojii
commented
1 year ago Interesting, we're running this on ECS Fargate and it appears to work. Do you have an IAM role associated with your fargate task?
Closed DustinMoriarty closed 1 year ago
ojii
commented
1 year ago Interesting, we're running this on ECS Fargate and it appears to work. Do you have an IAM role associated with your fargate task?
DustinMoriarty
commented
1 year ago @ojii : Yes. However... face palm moment ... I forgot about the difference between the taskRole and the taskExecutionRole. Long story short I was looking at some examples within our own codebase that mixed these up in a way that confused what they are for. I thought I only needed the taskExecutionRole, but I guess I was wrong. I guess the taskRole is the one running inside the container and the taskExecutionRole is the one running in the underlying EC2 instance.
Sorry for the confusion. This can be closed. I got a good look at the credentials implementation in the meantime. It is very well designed as is the rest of this package.
It appears that the way aiodynamo fetches credentials has fallen out of sync with the latest way that credentials are provided in ECS Fargate.
The library looks for the following environment variables.
However, this is what I actually see when I print the environment inside of a container.
There is no AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. As a result, Credentials.auto() just fails outright. Given that running on ECS Fargate is probably one of the most common use cases for this library, I assume the goal is for this to work out of the box. I am currently working out exactly how to get it to work with a little customization for a work around on my side. However, any pointers regarding what people are doing now could save me some time tonight as I work out what I need to override.