side effects to use "iam-docker"

[ozbillwang]

After fix my issue (#25), I can assume the role with --label com.swipely.iam-docker.iam-profile="$PROFILE"

Then I found a problem.

Before using iam-docker, the containers inherit permissions from its host directly. So if host has permission to list s3 bucket, the containers running on it can as well.

But after enable iam-docker, I have to feed all permission to that container, otherwise, it will have no any permission.

Is this the design or we can do some improvements on this issue?

Second, can I feed several --label options, so I can group the permission in multiple roles, more than I have to put all permission into one role?

[nahiluhmot]

This is the design of the iam-docker. AWS clients from the first party libraries can only use one IAM Role at a time (outside of manually assumed roles). This means that iam-docker is unable to implement the sharing of IAM roles between the container and the host.

Similarly for supporting multiple --label options: I don't believe that docker supports that. However, even if we were to use a label prefix or something so that iam-docker could read from an arbitrary number of labels, we still cannot "merge" IAM Roles on the fly. They have to be static.