Expected behavior

I need to provide access to manage production cluster from our CI tools. Access should not be granted via AWS key-pair that was used to create swarm using cloud formation template provided by Docker for AWS.

Actual behavior

When boxes are setup the only way to access those is via SSH using main key-pair. Docker socket is not opened, no other users have access to the system. As nodes are part of auto-scaling groups any change done directly on those nodes will not be available when instances are bumped by AWS scaling. As far as I understand we should not tinker around with AMIs (create own with those users added)

The only solution I can see right now is to modify userdata in launch configurations assigned to auto-scaling groups and add some user-initializing code there. But maybe I am missing some other, better solution. Any recommendations?

TIA,
Wojtek

That’s a good question.

Our generic answer is to use either Docker Cloud Fleet Management or Docker EE Universal Control Plane.

I don’t know that Fleet Management has good support for API users, but you can probably create a “bot” Docker ID and use that on your CI machines. Docs here: https://docs.docker.com/docker-cloud/cloud-swarm/connect-to-swarm/