Last active
January 31, 2023 23:54
-
-
Save jespereneberg/f57ed5cb3348cb583446d60df808a208 to your computer and use it in GitHub Desktop.
docker compose ecs context with AWS SSO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is, in my opinion, the preferred way to solve this since you can have several context pointing to different accounts/environments. See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html and https://github.com/linaro-its/aws2-wrap#use-the-credentials-via-awsconfig | |
# Uses a credential_process profile in your .aws/config file. It's this profile you will use when setting up the docker compose ecs context as the credentials_process looks up the needed credentials. | |
$ cat ~/.aws/config | |
[profile account1] | |
sso_start_url = https://d-123456789.awsapps.com/start#/ | |
sso_region = us-east-1 | |
sso_account_id = 123 | |
sso_role_name = AdministratorAccess | |
region = eu-north-1 | |
[profile account1-wrapped] | |
credential_process = aws2-wrap --process --profile account1 | |
[profile account2] | |
sso_start_url = https://d-123456789.awsapps.com/start#/ | |
sso_region = us-east-1 | |
sso_account_id = 456 | |
sso_role_name = AdministratorAccess | |
region = eu-north-1 | |
[profile account2-wrapped] | |
credential_process = aws2-wrap --process --profile account2 | |
$ aws sso login --profile account1 | |
$ docker context create ecs account1 | |
? Create a Docker context using: An existing AWS profile | |
? Select AWS Profile account1-wrapped | |
Successfully created ecs context "account1" | |
$ docker compose up -c account1 | |
$ aws sso login --profile account2 | |
$ docker context create ecs account2 | |
? Create a Docker context using: An existing AWS profile | |
? Select AWS Profile account2-wrapped | |
Successfully created ecs context "account2" | |
$ docker compose up -c account2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This example uses the same context, so instead of selecting a specific context you want to deploy to you use the current exported credentials (https://github.com/linaro-its/aws2-wrap#export-the-credentials). | |
# To deploy to different environments you instead need to run the "eval" command before deploying. | |
$ cat ~/.aws/config | |
[profile account1] | |
sso_start_url = https://d-123456789.awsapps.com/start#/ | |
sso_region = us-east-1 | |
sso_account_id = 123 | |
sso_role_name = AdministratorAccess | |
region = eu-north-1 | |
[profile account2] | |
sso_start_url = https://d-123456789.awsapps.com/start#/ | |
sso_region = us-east-1 | |
sso_account_id = 456 | |
sso_role_name = AdministratorAccess | |
region = eu-north-1 | |
$ docker context create ecs envVariables | |
? Create a Docker context using: AWS environment variables | |
Successfully created ecs context "envVariables" | |
$ aws sso login --profile account1 | |
$ eval "$(aws2-wrap --profile account1 --export)" #docker compose will now deploy to account1 | |
$ docker compose up -c envVariables #Uses the exported env variables from the previous eval command, in this case pointing to account1 | |
$ aws sso login --profile account2 | |
$ eval "$(aws2-wrap --profile account2 --export)" #docker compose will now deploy to account2 | |
$ docker compose up -c envVariables #Uses the exported env variables from the previous eval command, in this case pointing to account2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment