ECS Support

[ajhodges]

I don't think this is really an issue with keymaker, nor is it something that's appropriate to turn into a PR... but here's some info on how to get keymaker working in an ECS container.

Setup openssh-server and keymaker in your Dockerfile and then create an entrypoint.sh script that looks like this:

#!/bin/bash
sed -i -e "2iexport AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\" /usr/sbin/keymaker-get-public-keys
sed -i -e "2iexport AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\" /usr/local/bin/keymaker-create-account-for-iam-user
exec "$@"

Then configure your task to use this entrypoint. This pulls the value of AWS_CONTAINER_CREDENTIALS_RELATIVE_URI into the keymaker scripts. This value has to be present for the IAM task role permissions to work with boto3/keymaker. There might be an easier/better way to pass this environment variable to the keymaker user as it executes those scripts, but this is the only way I could get it to work. Wanted to pass this along in case others come across the same issue.

[kislyuk]

Thank you for posting this! Would you be interested in editing the Readme to add this information, and opening a PR?

[ajhodges]

The only reason I didn't do that is because I'm honestly not that familiar with sshd and there may be a better way of passing the environment variable to the daemon other than 'patching' your scripts.

[maxcountryman]

@ajhodges this doesn't seem to be required. I'm running Keymaker with ECS and haven't needed to do any injection to make it work.