Dockerun.aws.json referring to bucket of another account

amazon-web-servicesdockerelastic-beanstalk

I have the following Dockerrun.aws.json:

{
   "AWSEBDockerrunVersion": "1",
   "Authentication": {
       "Bucket": "bucket-of-another-aws-account",
       "Key": "docker/.dockercfg"
   },
   "Image": {
       "Name": "docker-image"
   },
   "Ports": [
        {
            "ContainerPort": "8080"
        }
    ]
}

The Elastic Beanstalk Environment with our Docker container is running in the customer's AWS account and the S3 bucket with the .dockercfg belongs to our AWS account.

For testing purposes I set the bucket policy principle to * so that anyone can download the .dockercfg file. Nevertheless Elastic Beanstalk is not able to download that file ("Failed to download authentication credentials docker/.dockercfg from bucket-of-another-aws-account").

The next test was to move the file to an S3 bucket within the customer's AWS account. That worked.

Question is: Is it possible to use a bucket of another account in the Dockerrun.aws.json? I could not find any hints in the documentation and I don't want to give the DockerHub API key to our customer.

Best Answer

We managed to overcome the "Failed to download authentication credentials" like this:

1) In account B (the one trying to access the remote bucket), look in the Elastic Beanstalk environments' settings for the instance role name it is using (configuration, instances (cog), Instance profile)

2) Still in account B, in the IAM manager, go to Roles and find the ec2 role from the previous step that EB is using for the instances, and attach an inline policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-of-another-aws-account"
            ]
        },
        {
            "Sid": "S3ObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-of-another-aws-account/*"
            ]
        }
    ]
}

3) on the target s3 bucket in Account A attach a policy (where 222222222222 is your account no of Account B)

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AccountBAccess1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "222222222222"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucket-of-another-aws-account",
            "arn:aws:s3:::bucket-of-another-aws-account/*"
        ]
    }
}

I know its a late answer to the OP (made me think of https://xkcd.com/979/ ) but I also could not find any concise or definitive answer in the docs online, and with more people moving to AWS and Elastic Beanstalk I hope this can be of use to others!

Related Solutions

Amazon S3 – Getting Files Using IAM Role Credentials

After taking a look at this answer to Using environment properties with files in elastic beanstalk config files I added the following section to the .ebextensions/01_files.config

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Access:
          type: S3
          roleName: aws-elasticbeanstalk-ec2-role
          buckets: dev-config

and updated the s3 url to include the bucket name in the host, so the final file looked like this:

"/usr/share/tomcat7/lib/local.properties" :
    mode: "000777"
    owner: ec2-user
    group: ec2-user
    source: https://dev-config.s3.amazonaws.com/local.properties

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Access:
          type: S3
          roleName: aws-elasticbeanstalk-ec2-role
          buckets: dev-config

This enabled the elastic beanstalk ec2 instance to use the IAM role associated with it to access the s3 bucket containing the files.

PS: For this configuration to work, make sure that you've granted access to the S3 bucket in question to the aws-elasticbeanstalk-ec2-role principal. You can get the ARN from IAM console.

Docker – SCP from docker image on elastic beanstalk

One way of copying a file would be to do it from the container. If you have a running container, use docker cp to transfer the file to your host, in this case the EB instnace.

Run docker ps to get the container ID. If you don't see any output, launch a container based on the image you are interested in. Say, if your image name is 'aws-beanstalk/current-app' -

docker run -ti --rm aws-beanstalk/current-app /bin/bash

Then from the docker host, for instance to transfer a file under /code/run.py on the container to /tmp on the host:

docker cp containerID:/code/run.py /tmp

The containerID is the one you see after running docker ps

You can also use docker exec -ti containerID /bin/bash to interactively work on an already running container.

Best Answer

Related Solutions

Amazon S3 – Getting Files Using IAM Role Credentials

Docker – SCP from docker image on elastic beanstalk

Related Topic