So we are running an AWS Batch job on ECS/Fargate and want to access some AWS service.
Where do I get the credentials (SecretAccessKey etc) from, that is the credentials for the assigned Job Role?
Places already checked:
- $HOME/.aws: Does not exist
- Env Vars: Not there
- Env Var
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: Nope
Using AWS CLI does work (magically, as it walks the credential chain), but we do not want to ship AWS CLI nor some AWS SDK.
If we have to sts_client.assume_role(), how to do that without an AWS SDK (yes, we are using Rust)?
Update
When running CLI with aws configure --debug export-credentials in the Batch job, we see that the credential gets successfully resolved by the by calling the endpoint botocore.credentials.SSOProviderhttp://169.254.170.2/v2/credentials/UUID. Still a mistery which credential provider does resolve, and where the UUID is sourced from.