Within plain EC2 environment, managing access to other AWS resources is fairly straightforward with IAM roles and credentials (automatically fetched from instance metadata). Even easier with CloudFormation, where you can create roles on the fly when you assign a particular application role to an instance.
If I wanted to migrate to Docker and have a kind of M-to-N deployment, where I have M machines, and N applications running on it, how should I go about restricting access to per-application AWS resources? Instance metadata is accessible by anyone on the host, so I'd have every application being able to see/modify data of every other application in the same deployment environment.
What are the best practices for supplying security credentials to application containers running in such environment?