AWS IAM Permissions in shiny-server - Docker

[Ada-Nick]

I'm having trouble accessing AWS IAM credentials from within my dockerised shiny-server environment. I'm deploying my shiny server container to ECS but am unable to access services such as s3 despite having the proper IAM permissions.

I can attach a volume to the docker container to manually move the credentials file over:

    volumes:
    - $HOME/.aws/:/home/shiny/.aws/:ro

But this is not practical in production. I can access the IAM credentials when running the app without using shiny-server by running the docker file like this:

#CMD ["/usr/bin/shiny-server.sh"]
CMD ["R", "-e", "shiny::runApp('/srv/shiny-server/app_name', 3838, host='0.0.0.0')"]

But then I can't run the app on the path I want and it isn't as stable.

How can I access the AWS credentials from within shiny-server?

shiny-server.sh

#!/bin/sh

# Make sure the directory for individual app logs exists
mkdir -p /var/log/shiny-server
chown shiny.shiny /var/log/shiny-server

if [ "$APPLICATION_LOGS_TO_STDOUT" != "false" ];
then
    # push the "real" application logs to stdout with xtail in detached mode
    exec xtail /var/log/shiny-server/ &
fi

# start shiny server
exec shiny-server 2>&1

shiny-server.conf

# Define the user we should use when spawning R Shiny processes
run_as shiny;

# Define a top-level server which will listen on a port
server {
  # Instruct this server to listen on port 80. The app at dokku-alt need expose PORT 80, or 500 e etc. See the docs
  listen 3838;

  # Define the location available at the base URL
  location / {

    # Run this location in 'site_dir' mode, which hosts the entire directory
    # tree at '/srv/shiny-server/app'
    site_dir /srv/shiny-server/app;

    # Define where we should put the log files for this location
    log_dir /var/log/shiny-server;

    # Should we list the contents of a (non-Shiny-App) directory when the user 
    # visits the corresponding URL?
    directory_index on;
  }

Dockerfile

FROM rocker/shiny-verse:latest

# system libraries of general use
RUN apt-get update && apt-get install -y \
    ....
RUN apt-get update

# Install R packages that are required
# TODO: add further package if you need!

RUN ["install2.r", "paws", "...", ...]

RUN rm -r /srv/shiny-server/*

COPY shiny-server.sh /usr/bin/shiny-server.sh

# copy the app to the image
RUN mkdir /srv/shiny-server/my_app
COPY ./my_app /srv/shiny-server/my_app/

# select port
EXPOSE 3838

# run app
CMD ["/usr/bin/shiny-server.sh"]

[jcheng5]

When running on ECS, does your container have one or both of the following environment variables?

• AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
• AWS_CONTAINER_CREDENTIALS_FULL_URI

If so, I think if we add a way for you to specify that Shiny Server should pass through those environment variables to the R process, that might do the trick. (See also https://github.com/rstudio/shiny-server/issues/409)