7

I have a .NET Core 2.0 console application developed using Visual Studio 2017. The launchSettings.json file sets an environment variable that allows it to use the developer's default AWS credentials

"environmentVariables": {
  "AWS_PROFILE": "default"
  ...
}

I have now added Docker support to the VS solution, and am trying to run the application in a Linux Docker container. Of course it fails with the following exception, as it is unable to find the profile:

Amazon.Runtime.AmazonClientException: Unable to find the 'default' profile in CredentialProfileStoreChain.

What is the best way to pass AWS credentials to the Docker container in a development environment? I obviously don't want to put my credentials as environment variables in launchSettings.json as this file is committed to source control.

EDIT

Just to be clear, I am looking for a solution that allows my Docker container to access the developer's credentials when debugging in Visual Studio 2017 on the developer's machine. Release builds will be deployed to AWS and an IAM role will preclude the need for credentials. The credentials are in the file %USERPROFILE%\.aws\credentials and I'm looking for a solution that will enable me to use them from within the Docker container without exposing them elsewhere: hence I don't want to put them in launchSettings.json or any other file that launches the Docker container.

A solution I envisage could involve mounting the Windows drive in the Docker container (or at least the directory %USERPROFILE%\.aws\) then setting an environment variable (AWS_SHARED_CREDENTIALS_FILE ?) in the Docker container so that AWS automagically finds the credentials file.

I've no idea how to do this though, as I'm very new to Docker.

Pang
  • 9,564
  • 146
  • 81
  • 122
Joe
  • 122,218
  • 32
  • 205
  • 338
  • 1
    Did you check [this](https://stackoverflow.com/questions/36354423/which-is-the-best-way-to-pass-aws-credentials-to-docker-container) ? – Venkatesh Wadawadagi Apr 19 '18 at 07:27
  • 2
    @Venkatesh, yes I did check that, and it gives a solution for managing AWS credentials when deploying on AWS (use IAM roles). But my question is about running the container on my development machine. – Joe Apr 19 '18 at 12:58

2 Answers2

21

The solution I went for was to edit the docker-compose.override.yml file that was added by Visual Studio Tools for Docker, and add the following lines:

version: '3'

services:
  mydockerapp:
    volumes:
      - ${USERPROFILE}/.aws:/root/.aws
    environment:
      - AWS_REGION=(your region)
      - AWS_PROFILE=default

This mounts the .aws directory containing AWS credentials in the appropriate place in the Docker container (/root is the default HOME directory), and sets environment variables to select the profile and region. The launchSettings.json file in the .NET Core project is not used when running in Docker.

Pang
  • 9,564
  • 146
  • 81
  • 122
Joe
  • 122,218
  • 32
  • 205
  • 338
6

Thanks for Joe's answer, as /root was key for me. This is what my docker-compose.yml looks like for a Java/Maven/Mac OSX environment:

volumes:
  # Map in the aws directory
  - ~/.aws:/root/.aws:ro

:RO makes it read-only of course. It was unnecessary for me to explicitly define Region and Profile.

Pang
  • 9,564
  • 146
  • 81
  • 122
Shanerk
  • 5,175
  • 2
  • 40
  • 36
  • 2
    ":RO makes it read-only" - useful bit of knowledge, I wasn't aware of this. Though at the moment I'm only running images I trust not to attempt to modify it. – Joe Jun 01 '18 at 20:50
  • Joe, sometimes it isn't a matter of trust, if you were doing the same thing with an ssh private key the required permissions are 0600, but since it is owned by a different user than root when you are mapping it in, the `:ro` masks the fact that it isn't actually owned by root from ssh as it behaves equivalently to 0600. – dragon788 Jul 12 '18 at 18:57