add configurable alternate credential profile

README.md

@@ -184,6 +184,7 @@ additional details on each available environment variable.
 | `ECS_EXCLUDE_UNTRACKED_IMAGE` | `alpine:latest` | Comma seperated list of `imageName:tag` of images that should not be deleted by the ECS agent if `ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP` is enabled. | | |
 | `ECS_DISABLE_DOCKER_HEALTH_CHECK` | `false` | Whether to disable the Docker Container health check for the ECS Agent. | `false` | `false` |
 | `ECS_NVIDIA_RUNTIME` | nvidia | The Nvidia Runtime to be used to pass Nvidia GPU devices to containers. | nvidia | Not Applicable |
+| `ECS_ALTERNATE_CREDENTIAL_PROFILE` | default | An alternate credential role/profile name. | default | default |
 | `ECS_ENABLE_SPOT_INSTANCE_DRAINING` | `true` | Whether to enable Spot Instance draining for the container instance. If true, if the container instance receives a [spot interruption notice](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html), agent will set the instance's status to [DRAINING](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-instance-draining.html), which gracefully shuts down and replaces all tasks running on the instance that are part of a service. It is recommended that this be set to `true` when using spot instances. | `false` | `false` |
 | `ECS_LOG_ROLLOVER_TYPE` | `size` | `hourly` | Determines whether the container agent logfile will be rotated based on size or hourly. By default, the agent logfile is rotated each hour. | `hourly` | `hourly` |
 | `ECS_LOG_OUTPUT_FORMAT` | `logfmt` | `json` | Determines the log output format. When the json format is used, each line in the log would be a structured JSON map. | `logfmt` | `logfmt` |

agent/credentials/providers/rotating_shared_credentials_provider.go

@@ -15,13 +15,16 @@ package providers
 
 import (
 	"fmt"
+	"os"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/cihub/seelog"
 )
 
 const (
+	ALTERNATE_CREDENTIAL_PROFILE_ENV_VAR = "ECS_ALTERNATE_CREDENTIAL_PROFILE"
+	DEFAULT_CREDENTIAL_PROFILE          = "default"
 	// defaultRotationInterval is how frequently to expire and re-retrieve the credentials from file.
 	defaultRotationInterval = time.Minute
 	// RotatingSharedCredentialsProviderName is the name of this provider
@@ -41,11 +44,17 @@ type RotatingSharedCredentialsProvider struct {
 // NewRotatingSharedCredentials returns a rotating shared credentials provider
 // with default values set.
 func NewRotatingSharedCredentialsProvider() *RotatingSharedCredentialsProvider {
+	var credentialProfile = DEFAULT_CREDENTIAL_PROFILE
+	if alternateCredentialProfile := os.Getenv(ALTERNATE_CREDENTIAL_PROFILE_ENV_VAR); alternateCredentialProfile != "" {
+		seelog.Infof("Overriding %s credential profile; using: %s.", DEFAULT_CREDENTIAL_PROFILE, alternatCredentialProfile)
+		credentialProfile = alternateCredentialProfile
+	}
+
 	return &RotatingSharedCredentialsProvider{
 		RotationInterval: defaultRotationInterval,
 		sharedCredentialsProvider: &credentials.SharedCredentialsProvider{
 			Filename: defaultRotatingCredentialsFilename,
-			Profile:  "default",
+			Profile:  credentialProfile,
 		},
 	}
 }

agent/credentials/providers/rotating_shared_credentials_provider_test.go

@@ -33,6 +33,15 @@ func TestNewRotatingSharedCredentialsProvider(t *testing.T) {
 	require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename)
 }
 
+func TestNewRotatingSharedCredentialsProviderExternal(t *testing.T) {
+	os.Setenv("ECS_ALTERNATE_CREDENTIAL_PROFILE", "external")
+	defer os.Unsetenv("ECS_ALTERNATE_CREDENTIAL_PROFILE")
+	p := NewRotatingSharedCredentialsProvider()
+	require.Equal(t, time.Minute, p.RotationInterval)
+	require.Equal(t, "external", p.sharedCredentialsProvider.Profile)
+	require.Equal(t, defaultRotatingCredentialsFilename, p.sharedCredentialsProvider.Filename)
+}
+
 func TestRotatingSharedCredentialsProvider_RetrieveFail_BadPath(t *testing.T) {
 	p := NewRotatingSharedCredentialsProvider()
 	p.sharedCredentialsProvider.Filename = "/foo/bar/baz/bad/path"