How to obtain TLS certs created by Docker for AWS?

Expected behavior

I need to connect to docker cluster created with “Docker for AWS” template from my CI server to deploy services. I would like to avoid SSH’ing onto manager nodes and prefer to use remote docker api (docker cli commands executed from within CI server connecting to management port of one of swarm managers).

My understanding is that in order to do this I need to provide proper certs to my remote docker session so it is accepted by swarm managers. But I cannot find a way to obtain those certs from my swarm cluster - cannot locate files…

Any advice would be greatly appreciated.

Is there a particular reason you don’t want to use SSH? As mentioned in the docs, you can set up a tunnel. With that, using the remote Docker API on your Docker for AWS swarm will seem like using a local engine:

$ ssh -i <path-to-ssh-key> -NL localhost:2374:/var/run/docker.sock docker@<ssh-host> &
$ docker -H localhost:2374 info

The only one is the fact that SSH is quite a wide entrance into my production cluster. I have to embed SSH creds for production node into my CI server config. I had an impression that providing only TLS cert data would be creating smaller opening.

But I will try going with the SSH/tunnel path for now. Thanks for help!

That’s a fair point, but in this case, running Docker is the only thing you can do on Docker for AWS anyway.