Consider AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

[willglynn]

Amazon ECS addresses the container credentialing problem in a different way. See IAM Roles for Tasks for details. In this Amazon ECS model, containers are launched with the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.

Every client application is supposed to look for this environment variable. If it's set, the client is to request credentials from http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} instead of the usual /latest/meta-data/iam/security-credentials.

This change is recent, having landed in the various SDKs' default credentialing chains about a month ago. It will be some time before support for this environment variable is universal.

So: what, if anything, should iam-docker do differently?

Some ideas on possible things to do:

1. iam-docker can warn if it detects the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable on a new container. This seems appropriate, since this variable is set by magic and therefore iam-docker can't guarantee that the container will receive correct credentials.
2. iam-docker can intercept requests for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and serve them identically to /latest/meta-data/iam/security-credentials. This ensures that it handles all credentialing requests from a container, regardless of the container credentials relative URI.
3. iam-docker can proxy requests for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. This would allow use of iam-docker for some containers while using the official Amazon functionality for others.
4. iam-docker can provide per-container statistics, like { credentials_requested: 4, container_credentials_uri_set: true, container_credentials_requested: 0 }. This would assist administrators in determining which containers are aware of this variable and which are not.

[willglynn]

In Amazon ECS, the contents of variable is constructed by amazon-ecs-agent right here.

The present version constructs paths like /v1/credentials?id=…. However, I believe anything iam-docker does should be parameterized to the environment variable rather than this specific format. My reasoning is that the client libraries will blindly request any path specified by that variable, so therefore iam-docker should satisfy such requests, even if we "know" that this variable will only match a certain pattern in Amazon ECS.

(Though, come to think of it, intercepting or outright blocking calls to /v1/credentials which do not match the container's relative credentials URI might be a good idea too. That would keep containers from impersonating neighbors.)

[nahiluhmot]

Sorry for the delayed response to this, @willglynn.

I'm inclined to add more logging, if anything. Supporting the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI doesn't seem particularly valuable to this project, given that AWS now mirrors the functionality.