Closed lesaux closed 8 years ago
@lesaux Your roles appear to be setup correctly. I don't see any mention of iam-docker
handling a web request in the logs you posted. Typically a log line along the lines of Serving IAM credentials request
will appear when a container tries to authenticate. Have you setup iptables
to redirect requests going from the Docker bridge to the metadata API (at 169.254.169.254
) to actually go to the iam-docker
container as noted in the README? Also, are you running the iam-docker
container with --net=host
?
I am running the container with the following command because port 8080 is already in use in my setup:
/iam-docker -listen-addr=0.0.0.0:9999 -verbose
therefore my iptables command is
export NETWORK="bridge"
export GATEWAY="$(docker network inspect "$NETWORK" | grep Gateway | cut -d '"' -f 4)"
export INTERFACE="br-$(docker network inspect "$NETWORK" | grep Id | cut -d '"' -f 4 | head -c 12)"
export PORT=9999
iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination "$GATEWAY":"$PORT" -i "$INTERFACE"
I just tried running those commands on one of my iam-docker
boxes, and GATEWAY
was an empty string after running those commands. Looks like the instructions are out-of-date. Can you confirm that the GATEWAY
variable is null for you as well? If so, I'll work on generating some new instructions.
Yup Gateway is empty fo rme as well. It seems on my rancher environment I should use docker0 for the interface.
With Docker0 interface I now get: Unable to locate credentials. You can configure credentials by running "aws configure".
but still not seeing the log line you mentioned in the iam-docker docker.
Okay, this worked for me. Could you try it out?
export NETWORK="bridge"
export PORT="9999"
export INTERFACE="$(docker network inspect -f '{{index .Options "com.docker.network.bridge.name"}}' "$NETWORK")"
export GATEWAY="$(ip addr show "$NETWORK" | grep 'inet ' | awk '{print $2}' | cut -d / -f 1)"
echo "network: $NETWORK"
echo "port: $PORT"
echo "interface: $INTERFACE"
echo "gateway: $GATEWAY"
sudo iptables -t nat \
-I PREROUTING \
-p tcp \
-d 169.254.169.254 \
--dport 80 \
-j DNAT \
--to-destination "$GATEWAY:$PORT" \
-i "$INTERFACE"
Awesome thanks for you help it pointed me in the right direction.
I believe you had a typo on line 4 ($INTERFACE not $NETWORK) and then in my use case
ip addr show
gave me two ip addresses so i added head -n 1
Here's what worked for me in my rancher env
export NETWORK="bridge"
export PORT="9999"
export INTERFACE="$(docker network inspect -f '{{index .Options "com.docker.network.bridge.name"}}' "$NETWORK")"
export GATEWAY="$(ip addr show "$INTERFACE" | grep 'inet ' | awk '{print $2}' | cut -d / -f 1|head -n 1)"
echo "network: $NETWORK"
echo "port: $PORT"
echo "interface: $INTERFACE"
echo "gateway: $GATEWAY"
Thanks a lot for you quick help!
Happy to help! Going to update the README now.
Would it be possible to get a complete example of roles and policies? I am struggling with this quite a bit.
I am currently creating an instance role "MyInstanceRole" with the following attached policy:
The s3_access role has a normal S3 access policy and the following trust relationship:
Running:
iam-docker container log
If I attach the s3 access policy directly to the instance role, I can list the bucket content.
Would you be kind enough to explain what I am missing?