Use env variable in artifact block

Hello,

I pushed a Docker image on s3 and I would like to download this one with the artifact block to run my container.

I try to use env variable (AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY) stored in Vault to authenticate on s3 but it seems that it’s not working.

failed to download artifact "s3::https://xxxxxxxxxxxxx": NoCredentialProviders: no valid providers in chain caused by: EnvAccessKeyNotFound: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment SharedCredsLoad: failed to load shared credentials file caused by: FailedRead: unable to open file caused by: open /root/.aws/credentials: no such file or directory EmptyEC2RoleList: empty EC2 Role list

I think it’s not very safe to put the credentials directly in the job.

Do you have a solution ?

Thank you for your help

Kevin

Have you ever found a solution for this?

Hello @vvarga ,

No sorry :face_with_diagonal_mouth:

If you check the systemd service file for nomad you can see it will pull environment variables from “/etc/nomad.d/nomad.env”

[root@xxxxx ~]# grep Environment /usr/lib/systemd/system/nomad.service
EnvironmentFile=-/etc/nomad.d/nomad.env

If you set the AWS access id, and secret key there, it works with AWS S3,
but doesn’t work with an on-prem s3 compatible object storage.

This isn’t a direct answer to your question, but from the error message it looks like the larger context is that you’re doing this on an EC2 instance. The answer is “don’t”. Best practice is to use an EC2 service role you create in IAM and apply that to the EC2 instance. No secret keys needed, so no secret keys leaked.