Compose: NoCredentialProviders

According to https://docs.docker.com/engine/reference/logging/awslogs/#credentials the credentials only need to be provided to the daemon, so I'm not sure why the difference in client matters.

Where is the docker daemon running? Do you notice any difference in the docker inspect of the container created by docker run vs the container created by docker-compose ?

I get this error despite the fact that I created ~/.aws/credentials file per your documentation. How would you recommend to pinpoint what exactly is missing ?

Following sample application in Scala works and can find credentials file

    val conf = ConfigFactory.load().getConfig("case")
    val aws_region = RegionUtils.getRegion(conf.getString("aws_region"))
    val client = new AWSLogsClient(new ProfileCredentialsProvider("default"))
    client.setRegion(aws_region)
    val req = new PutLogEventsRequest()
    req.setLogGroupName("case")
    req.setLogStreamName("api-server")
    val arr: util.Collection[InputLogEvent] = new util.ArrayList[InputLogEvent]()
    val event = new InputLogEvent()
    event.setMessage("test message!")
    event.setTimestamp(ZonedDateTime.now().toEpochSecond * 1000)
    arr.add(event)
    req.setLogEvents(arr)
    val regs = client.putLogEvents(req)
    println(regs)

I'm on Docker 1.9.1

ping

It's important to remember that this credential file needs to be made available to the docker engine not the client. It's the engine (the daemon) that is going to connect to aws.

If you create that file as a user, it may not be available to the engine. If you're running docker-machine and the engine is in the VM, you'll need to move that credentials file into the VM for the root user.

This is still a problem. Even with moving the credentials to /root/.aws/credentials, I still get this error.

In my case too the above error was caused by not having service provider credentials properly set. (I do not configure default credentials but rather set a profile as needed.)

If you are having trouble figuring out whether the credentials are configured, you might install the python awscli module and invoke something like aws ec2 describe-instances. The error messages from that application seem clearer to me.

Before using docker-compose I set the environment with docker-machine. Both docker-machine ls and docker-machine env $CONTAINER_NAME produced errors even though neither command seemed like it should need credentials. It caused some confusion when those seemingly innocuous commands worked one moment and stopped the next because I had changed to a terminal window without AWS_PROFILE defined.

Neither of the above commands required service provider credentials when I used the DigitalOcean driver.

For reference, the error I observed on invoking env was

Error checking TLS connection: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors

I think I tried everything - setting up ~/.aws/credentials and ~/.aws/config for both myself and root, setting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION as env variables for myself and root and on the project level in .env file, adding that to docker-compose.yml, reviewed IAM permissions, but getting NoCredentialProviders over and over.

Why can't compose config accept key id and secret just as it accepts region??
I would pass these from my .env file and problem solved. But now I need to find another way for logging...

@sharq1 Did you find a solution? I'm facing the same issue.

@AlexZeitler have you confirmed the credentials are working correctly with the AWS CLI?

@jasco Yes, they're working fine.

This tutorial (using the systemd part on Ubuntu 18.04) did the trick: https://wdullaer.com/blog/2016/02/28/pass-credentials-to-the-awslogs-docker-logging-driver-on-ubuntu/

Still an issue.
Linux dockerSwarm01.vns.local 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Docker version 18.09.0, build 4d60db4

Works without issue: eval $(aws ecr get-login --no-include-email --region us-gov-west-1)

echo $AWS_ACCESS_KEY_ID
A.....
echo $AWS_SECRET_ACCESS_KEY
h.....

cat ~/.aws/config
[default]
region = us-gov-west-1

cat ~/.aws/credentials
[default]
aws_access_key_id=A....
aws_secret_access_key=h....

Jan 15 17:00:03 dockerSwarm01.vns.local dockerd[30809]: time="2019-01-15T17:00:03.373268493-05:00" level=error msg="fatal task error" error="starting container failed: failed to initialize logging driver: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors" module=node/agent/taskmanager node.id=1f5t37qqgdpwz3qimiwpteqp0 service.id=9cb8od8kj177ak74kokxtp9bu task.id=kg21is0n80pic9rmojb9fkdhs Jan 15 17:00:36 dockerSwarm01.vns.local dockerd[30809]: time="2019-01-15T17:00:36.531371548-05:00" level=error msg="fatal task error" error="starting container failed: failed to initialize logging driver: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors" module=node/agent/taskmanager node.id=1f5t37qqgdpwz3qimiwpteqp0 service.id=9cb8od8kj177ak74kokxtp9bu task.id=rt4zrs4fz3aepau5ybn02eylb Jan 15 17:00:54 dockerSwarm01.vns.local dockerd[30809]: time="2019-01-15T17:00:54.714278599-05:00" level=error msg="fatal task error" error="starting container failed: failed to initialize logging driver: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors" module=node/agent/taskmanager node.id=1f5t37qqgdpwz3qimiwpteqp0 service.id=9cb8od8kj177ak74kokxtp9bu task.id=lhn4wk5l6xcexq8ug0jbdtkbs

Same issue, here. Credentials in /root/.aws/credentials but not picked up (Fedora Atomic 28).

hi @ehrlichja , maybe you can try:

1. create file /etc/systemd/system/docker.service.d/aws-credentials.conf
2. add content in file aws-credentials.conf:
   [Service]
   Environment="AWS_ACCESS_KEY_ID="
   Environment="AWS_SECRET_ACCESS_KEY="
3. exec sudo systemctl daemon-reload to reload daemon config
4. exec sudo service docker restart to restart docker
5. exec systemctl show --property=Environment docker to see whether the env variables existed.

This blog post helped me: https://wdullaer.com/blog/2016/02/28/pass-credentials-to-the-awslogs-docker-logging-driver-on-ubuntu/ previous comment is right, but the blog post covers more cases.

Hello, Is there any plan to fix this issue? Thanks!

any update on this issue?

FWIW: I am using the SSM Agent on an onprem instance, then I set the user in the docker service file.
vi /usr/lib/systemd/system/docker.service

[Service]
User=root

bump

Please this is still relevant, any help?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This issue has been automatically closed because it had not recent activity during the stale period.