Supporting multiple IAM roles via instance metadata endpoint

Expected behavior

Not expected but desired is the ability to call multiple IAM roles via the metadata endpoint, e.g. http://169.254.169.254/latest/meta-data/iam/security-credentials/my_role.

Actual behavior

Instance profiles are limited to supporting one IAM role so requests for other roles results in a 404.

Additional Information

We are in the process of migrating from EC2 instances to docker containers and use various methods to obtain temporary IAM credentials. One of those methods is the use of instance profile roles via the metadata endpoint. When running EC2 instances you can assign different instance profiles to different machines allowing you to be more granular with the permissions. Prior to moving to Docker For AWS we were able to utilize the swipely/iam-docker (https://github.com/swipely/iam-docker/blob/master/README.md) container to act as a proxy for the metadata requests allowing us to get around the one role per instance profile issue. Docker for AWS has removed that possibility be making it impossible to perform the iptables updates necessary to forward requests to the proxy container. Is there a method I’m not aware of that would allow us to forward requests to the metadata endpoint to the iam-docker container or do you have plans on how to handle this in the future?

Steps to reproduce the behavior

  1. On any container make a request to the instance profile assigned to the docker hosts and you will get your temporary credentials.
  2. Attempt to make the same call to a different role results in a 404 (this is expected)

Were you ever able to sort this out? I’m having the same problems with giving containers only the permissions they need, rather than having to give all permissions to each worker node.