Closed ozbillwang closed 6 years ago
This is the design of the iam-docker
. AWS clients from the first party libraries can only use one IAM Role at a time (outside of manually assumed roles). This means that iam-docker
is unable to implement the sharing of IAM roles between the container and the host.
Similarly for supporting multiple --label
options: I don't believe that docker supports that. However, even if we were to use a label prefix or something so that iam-docker
could read from an arbitrary number of labels, we still cannot "merge" IAM Roles on the fly. They have to be static.
After fix my issue (#25), I can assume the role with
--label com.swipely.iam-docker.iam-profile="$PROFILE"
Then I found a problem.
Before using
iam-docker
, the containers inherit permissions from its host directly. So if host has permission to list s3 bucket, the containers running on it can as well.But after enable
iam-docker
, I have to feed all permission to that container, otherwise, it will have no any permission.Is this the design or we can do some improvements on this issue?
Second, can I feed several
--label options
, so I can group the permission in multiple roles, more than I have to put all permission into one role?