Getting AWS Credentials into to a Docker Container without Hardcoding It

EDIT (3 June 2018): There are security concerns with following this approach. Checkout out this great article on why.

When I’m building with ECS, I’m more often than not building a worker that interacts with other AWS services. I need my AWS Access Key ID and my AWS Secret Access Key for it to work locally.
Nobody wants hard-coded values being pushed to version control nor do you want to have to dig it up every time you need to develop locally.

Set up your AWS credentials per the official docs.
The highlights taken from this page are as follows:

    • Set credentials in the AWS credentials profile file on your local system, located at:
        • ~/.aws/credentials on Linux, OS X, or Unix
        • C:\Users\USERNAME\.aws\credentials on Windows

      This file should contain lines in the following format:

      aws_access_key_id = your_access_key_id
      aws_secret_access_key = your_secret_access_key

      Substitute your own AWS credentials values for the values your_access_key_id and your_secret_access_key.

    • Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

To set these variables on Linux, OS X, or Unix, use export:

export AWS_ACCESS_KEY_ID=your_access_key_id
export AWS_SECRET_ACCESS_KEY=your_secret_access_key
# To set these variables on Windows, use set:set AWS_ACCESS_KEY_ID=your_access_key_id
set AWS_SECRET_ACCESS_KEY=your_secret_access_key

Running $ aws help we see there is a –profile parameter.
Leveraging this, we can write a shell script to get our credentials into our Docker container.

Now we can run locally, push to version control and not worry about our credentials being insecure.
Plus, you can build and run your Docker container with one command now, woohoo.

4 Replies to “Getting AWS Credentials into to a Docker Container without Hardcoding It”

    1. Keep in my mind this is only for local development. You would never do this outside a local machine.
      Though I suppose you’re right, you could store these in a local docker volume instead… but you definitely wouldn’t be doing that in the cloud either way.
      You don’t need your AWS Key/Secret when running on AWS, you just need to set up the proper IAM credentials

    2. Agreed with the ps issue. Instead of setting the variables in docker run, you can set it on docker build with ARG/ENV variables. That way you won’t need to use volumes, and it won’t show up on ps either

      1. I’ve actually changed my tune on this and will update this article when I have time.
        You actually don’t want to use docker build to set the AWS ENV Variables, checkout this great article on that.

        The way I have outlined making your AWS Credentials available to your Docker container is not the best from a security standpoint. As Sam mentioned, they show up in ps, which could bleed other places. See this other fantastic article on the subject.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.