I don't think this is really an issue with keymaker, nor is it something that's appropriate to turn into a PR... but here's some info on how to get keymaker working in an ECS container.
Setup openssh-server and keymaker in your Dockerfile and then create an entrypoint.sh script that looks like this:
#!/bin/bash
sed -i -e "2iexport AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\" /usr/sbin/keymaker-get-public-keys
sed -i -e "2iexport AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\\" /usr/local/bin/keymaker-create-account-for-iam-user
exec "$@"
Then configure your task to use this entrypoint. This pulls the value of AWS_CONTAINER_CREDENTIALS_RELATIVE_URI into the keymaker scripts. This value has to be present for the IAM task role permissions to work with boto3/keymaker. There might be an easier/better way to pass this environment variable to the keymaker user as it executes those scripts, but this is the only way I could get it to work. Wanted to pass this along in case others come across the same issue.
I don't think this is really an issue with keymaker, nor is it something that's appropriate to turn into a PR... but here's some info on how to get keymaker working in an ECS container.
Setup openssh-server and keymaker in your Dockerfile and then create an entrypoint.sh script that looks like this:
Then configure your task to use this entrypoint. This pulls the value of AWS_CONTAINER_CREDENTIALS_RELATIVE_URI into the keymaker scripts. This value has to be present for the IAM task role permissions to work with boto3/keymaker. There might be an easier/better way to pass this environment variable to the
keymakeruser as it executes those scripts, but this is the only way I could get it to work. Wanted to pass this along in case others come across the same issue.