Search code examples
pythondockerboto3aws-secrets-manager

Error: "botocore.exceptions.NoCredentialsError: Unable to locate credentials" when doing Docker build

I'm trying to get the secret from AWS like so:

import boto3
import os

mysql_secret = os.environ['MYSQL_SECRET']

def get_secret():

    region_name = "us-west-2"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    get_secret_value_response = client.get_secret_value(SecretId=mysql_secret)

    # Decrypts secret using the associated KMS key.
    secret = get_secret_value_response['SecretString']
    return secret

secret = get_secret()

with Dockerfile

# Top level build args
ARG build_for=linux/arm64/v8
FROM --platform=$build_for python:3.11.4-bullseye as base

# Set docker basics
VOLUME /usr/app
ARG MYSQL_SECRET='mysql_secret'
ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY='some_key'
ARG AWS_DEFAULT_REGION='us-west-2'
ARG AWS_SECURITY_TOKEN='some_token'

RUN apt-get update -y
RUN apt-get install libpq-dev -y 
RUN apt-get install default-libmysqlclient-dev  -y
RUN apt-get install pkg-config -y

RUN python -m pip install boto3

COPY ./test.py /usr/app/test.py
RUN python /usr/app/test.py

I looked around SO for a while and tried adding

ENV AWS_CONFIG_FILE=/root/.aws/config
ENV AWS_SDK_LOAD_CONFIG=1

to the Dockerfile

I tried passing the credentials directly like

docker build . -t test:0.1 \
--build-arg AWS_ACCESS_KEY_ID=${access_key_here} \
--build-arg AWS_SECRET_ACCESS_KEY=${secret_key_here} \
--build-arg AWS_DEFAULT_REGION=${us-west-2} \
--build-arg AWS_SECURITY_TOKEN=${token_here}

Nothing seems to be working.

UPDATE: I added

ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY='some_key'
ARG AWS_DEFAULT_REGION='us-west-2'
ARG AWS_SECURITY_TOKEN='some_token'

as recommended by Vasyl Herman and hard coded 3 out of 4 arguments, leaving out AWS_ACCESS_KEY_ID. I then tried running docker build . -t test:0.1 --build-arg AWS_ACCESS_KEY_ID=${some_key} but still getting the same error. Even though it works if access key is also hard coded in.

If i hard code the access key in, but leave out the secret key, i get a different error when running docker build . -t test:0.1 --build-arg AWS_SECRET_ACCESS_KEY=${some_key}

: zsh: bad substitution

Solution

  • Add ARG directives for AWS Keys like so:

    # Example. Dockerfile with defined ARG directives

# Top level build args
ARG build_for=linux/arm64/v8
FROM --platform=$build_for python:3.11.4-bullseye as base

ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY
ARG AWS_DEFAULT_REGION=us-west-2
ARG AWS_SECURITY_TOKEN

# Set docker basics
VOLUME /usr/app
ARG MYSQL_SECRET='mysql_secret'

RUN apt-get update -y
RUN apt-get install libpq-dev -y 
RUN apt-get install default-libmysqlclient-dev  -y
RUN apt-get install pkg-config -y

RUN python -m pip install boto3

COPY ./test.py /usr/app/test.py
RUN python /usr/app/test.py

    Now you should be able to set or override values of predefined ARG directives running docker build command with --build-arg arguments.

    Please, test. It has to be working.

    Super important note: it's advisable to get secrets at run time, not at build time. Just keep in mind whatever your goal is here.