Managing IAM security credentials for multiple docker containers

Question

Within plain EC2 environment, managing access to other AWS resources is fairly straightforward with IAM roles and credentials (automatically fetched from instance metadata). Even easier with CloudFormation, where you can create roles on the fly when you assign a particular application role to an instance.

If I wanted to migrate to Docker and have a kind of M-to-N deployment, where I have M machines, and N applications running on it, how should I go about restricting access to per-application AWS resources? Instance metadata is accessible by anyone on the host, so I'd have every application being able to see/modify data of every other application in the same deployment environment.

What are the best practices for supplying security credentials to application containers running in such environment?

Answer 1

There is this project: https://github.com/dump247/docker-ec2-metadata

It acts as a proxy to the instance meta-data endpoint, returning a role specific to the container. I have not used it before, but it seems to solve the use-case you are describing.

Answer 2

Applying least privilege using Roles and Security Groups (even though you didn't mention them) in AWS with EC2 are both best practices to provide a secure environment for your hosting applications, especially when using CloudFormation. However, when you layer a multi-tenant Docker environment on top of that is when things start to fall apart.

The best answer right now to continue to get the benefit of Roles while applying least privilege is to not use a multi-tenant approach. Basically use a one-to-one mapping between EC2 instance and application, but you can still use clusters / ASGs. Docker is still an extremely useful and powerful tool you can use to manage and deploy your applications, but for now Roles apply at the EC2 instance and not the container. That means using separate VMs for each application for now.

If being multi-tenant is more important than Roles then the answer is to not use Roles and distribute AWS credentials to your applications using some other method.

Unfortunately neither of these solutions is very desirable and I expect this specific pain point to be addressed by AWS in the future due mainly to the growing popularity of containers.