I'm using the aws-sdk-go library in my go app.
Roughly the code looks like:
awsSession, err := session.NewSession(&aws.Config{Region:aws.String(region)})
and
upParams := &s3manager.UploadInput{
Bucket: aws.String(bucket),
Key: aws.String(filename),
Body: bytes.NewReader(fileContents),
}
uploader := s3manager.NewUploader(awsSession)
result, err := uploader.Upload(upParams)
When run locally, in a binary, outside a container, this works, because it reads my keys from ~/.aws/credentials.
When run locally, in a Docker container, this works, because I pass in ~/.aws/credentials via $HOME/.aws/credentials:/root/.aws/credentials:ro
when starting the container.
But when I tell Fargate to fetch the container from ECR (which works), and run it, it gives these errors in the Task log:
Failed to upload files to S3
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Failed to upload file: NoCredentialProviders: no valid providers in chain. Deprecated.
I assume I'm supposed to rely on an IAM policy for the Fargate-managed container/task to get read/write access to S3.
I tried going to IAM -> Roles -> ecsTaskExecutionRole, and adding the AmazonS3FullAccess role, then stopping the task (& having Fargate re-start it). But I get the same error.
I assume I either need to change the Golang code to somehow read the creds from IAM, instead of a file, or I'm doing something wrong on the IAM or Fargate/ECS side.
Any help would be greatly appreciated.