I'm trying to get my AWS EC2 instance running Docker with Bindplane set up for logging to S3, but I keep running into issues. Here's what I've got going on:
1. The EC2 instance runs Docker with a Bindplane container.
2. I've set an instance profile that has permissions for S3 Get/Put and can assume the role needed.
3. On my local machine, I've configured my AWS credentials correctly.
4. My ~/.aws/config file includes the correct role ARN and region info, and I can successfully call "aws sts get-caller-identity" and see my credentials.
5. I can list my S3 buckets from the local machine using "aws s3 ls".
6. Inside the container, I can confirm the instance ID with a metadata call.
Despite this, my Bindplane instance can't upload logs to S3, throwing a 403 error saying the Access Key ID doesn't exist in the records. I've tried both IMDS v1 and v2; I can query metadata with v1 but not with v2. I've also mapped my AWS credentials folder in the Docker compose file, but I'm not sure that's necessary. Any guidance would be greatly appreciated!
2 Answers
The error indicates that the AWS Access Key ID isn't recognized. Make sure you’re not missing a step in passing credentials to the container. Have you verified if the container has any hardcoded credentials? Also, check what Access Key ID it's showing, just to be sure it matches what you expect.
You might want to check your CloudTrail logs for more details on the failed request. That 403 error often points to the container using a different set of credentials than expected. If you can access the shell in the container, run "aws sts get-caller-identity" there to double-check exactly which credentials are being used.
Sounds like a good plan! I’ll definitely try the command inside the container. I think our CloudTrail setup might not capture this because we don’t have data events enabled.
According to AWS docs, I thought it should just use the EC2 instance profile role with S3 permissions automatically, so I haven't passed any credentials directly to the container. But maybe I should double-check everything.