将 AWS CLI 凭证作为卷安装到 docker 容器,但仍未引用凭证
Mounted the AWS CLI credentials as volume to docker container however still credentials are not being referred
我在我的 Dockerfile 中使用 AmazonLinux:2 基础镜像创建了一个 docker 镜像。这个 docker 容器将 运行 作为 Jenkins 在 Linux 服务器上构建代理并且必须进行某些 AWS API 调用。在我的 Dockerfile 中,我复制了一个名为 assume-role.sh 的 shell-script。
代码片段:-
COPY ./assume-role.sh .
RUN ["chmod", "+x", "assume-role.sh"]
ENTRYPOINT ["/assume-role.sh"]
CMD ["bash", "--"]
Shell脚本定义:-
#!/usr/bin/env bash
#echo Your container args are: " "
echo Your container args are: ""
ROLE_ARN=""
AWS_DEFAULT_REGION="${2:-us-east-1}"
SESSIONID=$(date +"%s")
DURATIONSECONDS="${3:-3600}"
#Temporary loggings starts here
id
pwd
ls .aws
cat .aws/credentials
#Temporary loggings ends here
# AWS STS AssumeRole
RESULT=(`aws sts assume-role --role-arn $ROLE_ARN \
--role-session-name $SESSIONID \
--duration-seconds $DURATIONSECONDS \
--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
--output text`)
# Setting up temporary creds
export AWS_ACCESS_KEY_ID=${RESULT[0]}
export AWS_SECRET_ACCESS_KEY=${RESULT[1]}
export AWS_SECURITY_TOKEN=${RESULT[2]}
export AWS_SESSION_TOKEN=${AWS_SECURITY_TOKEN}
echo 'AWS STS AssumeRole completed successfully'
# Making test AWS API calls
aws s3 ls
echo 'test calls completed'
我 运行 像这样安装 docker 容器:-
docker run -d -v $PWD/.aws:/.aws:ro -e XDG_CACHE_HOME=/tmp/go/.cache arn:aws:iam::829327394277:role/myjenkins test-image
我在这里要做的是将 .aws 凭据从主机目录安装到根级别容器上的卷。卷安装成功,我可以看到日志输出,如其 shell 文件中所述:-
ls .aws
cat .aws/credentials
它告诉我在根级别 (/) 中有一个 .aws 文件夹,其中包含凭据。然而,不知何故,AWS CLI 没有启动,因此剩余的 API 调用如 AWS STS assume-role 失败。
有人可以在这里推荐我吗?
[docker运行]
的输出
Your container args are: arn:aws:iam::829327394277:role/myjenkins
uid=0(root) gid=0(root) groups=0(root)
/
config
credentials
[default]
aws_access_key_id = AKXXXXXXXXXXXXXXXXXXXP
aws_secret_access_key = e8SYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYxYm
Unable to locate credentials. You can configure credentials by running "aws configure".
AWS STS AssumeRole completed successfully
Unable to locate credentials. You can configure credentials by running "aws configure".
test calls completed
终于找到问题了
将 .aws 卷装载到容器时路径错误。
而不是这个 -v $PWD/.aws:/.aws:ro,它应该是 -v $PWD/.aws:/root/.aws:ro
我在我的 Dockerfile 中使用 AmazonLinux:2 基础镜像创建了一个 docker 镜像。这个 docker 容器将 运行 作为 Jenkins 在 Linux 服务器上构建代理并且必须进行某些 AWS API 调用。在我的 Dockerfile 中,我复制了一个名为 assume-role.sh 的 shell-script。 代码片段:-
COPY ./assume-role.sh .
RUN ["chmod", "+x", "assume-role.sh"]
ENTRYPOINT ["/assume-role.sh"]
CMD ["bash", "--"]
Shell脚本定义:-
#!/usr/bin/env bash
#echo Your container args are: " "
echo Your container args are: ""
ROLE_ARN=""
AWS_DEFAULT_REGION="${2:-us-east-1}"
SESSIONID=$(date +"%s")
DURATIONSECONDS="${3:-3600}"
#Temporary loggings starts here
id
pwd
ls .aws
cat .aws/credentials
#Temporary loggings ends here
# AWS STS AssumeRole
RESULT=(`aws sts assume-role --role-arn $ROLE_ARN \
--role-session-name $SESSIONID \
--duration-seconds $DURATIONSECONDS \
--query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' \
--output text`)
# Setting up temporary creds
export AWS_ACCESS_KEY_ID=${RESULT[0]}
export AWS_SECRET_ACCESS_KEY=${RESULT[1]}
export AWS_SECURITY_TOKEN=${RESULT[2]}
export AWS_SESSION_TOKEN=${AWS_SECURITY_TOKEN}
echo 'AWS STS AssumeRole completed successfully'
# Making test AWS API calls
aws s3 ls
echo 'test calls completed'
我 运行 像这样安装 docker 容器:-
docker run -d -v $PWD/.aws:/.aws:ro -e XDG_CACHE_HOME=/tmp/go/.cache arn:aws:iam::829327394277:role/myjenkins test-image
我在这里要做的是将 .aws 凭据从主机目录安装到根级别容器上的卷。卷安装成功,我可以看到日志输出,如其 shell 文件中所述:-
ls .aws
cat .aws/credentials
它告诉我在根级别 (/) 中有一个 .aws 文件夹,其中包含凭据。然而,不知何故,AWS CLI 没有启动,因此剩余的 API 调用如 AWS STS assume-role 失败。
有人可以在这里推荐我吗?
[docker运行]
的输出Your container args are: arn:aws:iam::829327394277:role/myjenkins
uid=0(root) gid=0(root) groups=0(root)
/
config
credentials
[default]
aws_access_key_id = AKXXXXXXXXXXXXXXXXXXXP
aws_secret_access_key = e8SYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYxYm
Unable to locate credentials. You can configure credentials by running "aws configure".
AWS STS AssumeRole completed successfully
Unable to locate credentials. You can configure credentials by running "aws configure".
test calls completed
终于找到问题了
将 .aws 卷装载到容器时路径错误。
而不是这个 -v $PWD/.aws:/.aws:ro,它应该是 -v $PWD/.aws:/root/.aws:ro