Add instructions for secure AWS Task IAM Roles #2015
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The [Task IAM Rules] were extracted verbatim from the Amazon documentation [steps 5, 6, and 7]( https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html) The latter two rules were adapted from [Amazon documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) so that system-docker traffic retains access to the instance-metadata, while traffic from user-docker does not. This documentation change is not sufficient to get Task IAM Roles to work, it requires a modification to the amazon-ecs-agent service, which will follow in a separate commit.
sodre
added a commit
to sodre/os-services
that referenced
this pull request
Nov 19, 2019
According to Amazon's documentation in [step 10](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html), the ECS-Agent is only supported if running using the Host networking instead of bridge. I also enabled Task IAM Role by default, to synchronize with the documentation update in rancher/docs#2015
sodre
changed the title
sodre
added a commit
to sodre/os-packer
that referenced
this pull request
Nov 21, 2019
- Implements the instructions in rancher/docs#2015, directly in the ecs-optimized image. - Depends on rancher/os-release#217
This was referenced Nov 21, 2019
|
Hi! Any updates on getting this issue fixed? |
|
@SheilaghM This PR is dependent on a RancherOS change to be merged, but since RancherOS is deprecated, I'm wondering if this PR should be closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Task IAM Rules were extracted verbatim from the Amazon documentation steps 5, 6, and 7
The latter two rules were adapted from Amazon documentation so that system-docker traffic retains access to the instance-metadata, while traffic from user-docker does not.
This documentation change is not sufficient to get Task IAM Roles to work, it requires a modification to the amazon-ecs-agent service, which will follow in a separate PR to the
os-servicesrepo.