Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
In Linux environment credentials priority is set to:
When ECS Agent (in case of ECS Anywhere) is installed on EC2 instance of other AWS account with IAM Role attached, EC2 Role credentials are prioritized over rotating credentials which means SSM Agent credentials won't be used.
As far as there is no way to change credentials providers priority it's not possible to make ECS Agent use SSM Agent rotating credentials. It makes usage of ECS Anywhere hardly possible when external instance is part of other AWS Account with EC2 IAM Role credentials attached. It may not be possible to modify EC2 Role credentials due to policies in external AWS Account.
It makes sense to prioritize rotating credentials over EC2 Role credentials in case ECS Agent is installed on external instance. Please note, similar behavior is implemented for Windows:
amazon-ecs-agent/ecs-agent/credentials/instancecreds/instancecreds_windows.go
Line 54 in b702281
Alternatively, it would be great if credentials providers priority could be re-configured by additional config variable.
Implementation details
In Linux environment when
ECS_EXTERNAL
variable is set totrue
RotatingSharedCredentialsProvider
is prioritized overEC2RoleProvider
so that SSM Agent credentials are prioritized over EC2 Role credentials.Testing
New tests cover the changes: no
Description for the changelog
Prioritize
RotatingSharedCredentialsProvider
overEC2RoleProvider
instance credentials provider for external instances in LinuxLicensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.