Pull AWS credentials in container running on AWS Fargate

Question

I have just started working with Docker containers and deploying them in AWS Fargate and I am posting here to know more about how AWS credentials are pulled to the containers (please find below an explanation of what I have done). I have read a lot of the AWS documentation and online blogs/posts but I think there are things that I fully don't understand.

I have created a IAM user with the following permissions:

1. AmazonECS_FullAccess
2. AmazonSESFullAccess
3. CloudWatchFullAccess
4. AmazonS3FullAccess
5. ECR_FullAccess (this is a custom policy that I have created which all Elastic Container Registry actions (ecr:*).

Then, I have created a Docker image that runs a Python script on AWS Fargate. This script uses the SES, S3 and CloudWatch services. This image was uploaded to ECR.

For security reasons, I did not hardcode environment variables in the Dockerfile. The way I fetch environment variables is by pulling an .env file from a S3 bucket. To do this I have appended an inline policy to the ecsTaskExecutionRole that uses the actions to read an object and bucket location in S3 (in this case the .env file).

For the Task Role, and according to what I read, it is responsible for an IAM role to interact with other AWS services. So I have created a new role with three new policies: (1) AmazonSESFullAccess; (2) CloudWatchFullAccess; and (3) AmazonS3FullAccess. This role was then specified when a new task was being created in Fargate.

My questions are:

1. Is there any unnecessary step on what I described before? Is that how Task Roles and Task Execution Roles should be set in terms policies considering that the container uses CloudWatch, S3 and SES services (i.e. in the Python code I need to create a client for each service).
2. Despite the container running successfully, I do not know which credentials are being pulled exactly. For instance, if I set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in the .env file and if I print them, in CloudWatch they appear as None when os.getenv("AWS_SECRET_ACCESS_KEY") is called. Hence, I do not know what credentials are being used exactly. Could you please let me know how credentials are managed in Fargate?

Answer 1

From your description, you don't need the IAM user or the .env file (for credentials). An IAM user should represent a person and the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY of that person are long lived credentials. Ideally you never want a container (or EC2) to have long lived credentials.

The task Role that you assign to the ECS task should be the source of credentials for that task. It should contain permissions to all of the services that the task needs to access. For security reasons you usually want to trim this down to the minimum possible.

When the ECS task starts, the container will "assume" the role granted to it. Temporary credentials will be generated for it based on that role. The ECS service will take care of refreshing these as required.

If your python script is using the AWS SDK (boto3) then it will automatically use the credentials of the container which are the credentials the task has assumed. You won't need to provide any additional environment variables for credentials.