The logic to get STS tokens if you're running in ECS is not quite the same as the logic that boto3 appears to use. In boto3, we don't notice the IAM creds used by ECS tasks to leverage the EC2 role arn, unless the ECS Task has no Role defined ( which we also don't do anymore, but we once did, and found this to be the case maybe 2ish years back ).
The condition by which ECS credentials are attempted to be gathered is dependent on EC2 credential data not being found.
We run with EC2 IAM Profiles/Roles, and ECS Task IAM Profiles/Roles. Scout2 works well for us, until we deployed it as a ECS task.
As a user, I would like for scout2 to be able to assume the role assigned to an ECS Task, while also being able to have a distinct role assigned to the underlying EC2 instance in my ECS Cluster.
Thanks @edyesed. We're currently looking to move away from opinel as it isn't clear there are many benefits to using it over boto3. Not sure if this will be fixed in the library per se or in Scout Suite directly.
Hi,
The logic to get STS tokens if you're running in ECS is not quite the same as the logic that boto3 appears to use. In boto3, we don't notice the IAM creds used by ECS tasks to leverage the EC2 role arn, unless the ECS Task has no Role defined ( which we also don't do anymore, but we once did, and found this to be the case maybe 2ish years back ).
The condition by which ECS credentials are attempted to be gathered is dependent on EC2 credential data not being found.
We run with EC2 IAM Profiles/Roles, and ECS Task IAM Profiles/Roles. Scout2 works well for us, until we deployed it as a ECS task.
this code here
As a user, I would like for scout2 to be able to assume the role assigned to an ECS Task, while also being able to have a distinct role assigned to the underlying EC2 instance in my ECS Cluster.
cc/ @preston-bejabeng