Let's say something like this is being returned when attempting to create/start a Docker container.
docker: Error response from daemon: failed to initialize logging driver: failed to create Cloudwatch log stream: NoCredentialProviders: no valid providers in chain. Deprecated.
This means the Docker container is using the awslogs driver. For example, the --log-driver=awslogs is being used in this example.
~]$ sudo docker run --log-driver=awslogs --env AWS_ACCESS_KEY_ID=ABC123DEF456GHI789A1 --env AWS_SECRET_ACCESS_KEY=ABCDEFG123456789ABCDEFG123456789ABCDEFG1 hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
c1ec31eb5944: Pull complete
Digest: sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to initialize logging driver: failed to create Cloudwatch log stream: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors.
ERRO[0000] error waiting for container: context canceled
This also means Docker has been configured to use Amazon Web Services (AWS) awslogs driver. Check out my article Amazon Web Services (AWS) - Append Docker logs to CloudWatch. For example, perhaps /etc/docker/daemon.json has the following.
{
"log-driver": "awslogs",
"log-opts": {
"awslogs-region": "us-east-1",
"awslogs-group": "docker-logs"
}
}
There are a few things you can try
- Update your EC2 Instance to use an Instance Profile
- Configure Docker Service with your AWS Access Key and Secret Key
Update your EC2 Instance to use an Instance Profile
Notice in this example that AWS_ACCESS_KEY_ID ABC123DEF456GHI789A1 was used. Let's say this is johndoe access key.
sudo docker run --log-driver=awslogs --env AWS_ACCESS_KEY_ID=ABC123DEF456GHI789A1 --env AWS_SECRET_ACCESS_KEY=ABCDEFG123456789ABCDEFG123456789ABCDEFG1 hello-world
The aws iam get-account-authorization-details command can be used to determine if the user has an attached policy, and if so, what policy is attached. Notice in this example that johndoe has AdministratorAccess, meaning johndoe most definitely has permission.
~]$ aws iam get-account-authorization-details --query 'UserDetailList[?UserName==`johndoe`]'
[
{
"Path": "/",
"UserName": "johndoe",
"UserId": "AZI938DMKDj349AMND02M",
"Arn": "arn:aws:iam::123456789012:user/jeremycanfield",
"CreateDate": "2022-09-13T11:13:03+00:00",
"GroupList": [],
"AttachedManagedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
],
"Tags": []
}
]
You can try association an instance profile with your EC2 instance. The aws iam create-instance-profile command can be used to create an instance profile.
aws iam create-instance-profile --instance-profile-name my-instance-profile
The aws iam add-role-to-instance-profile command can be used to attach a role to the instance profile.
aws iam add-role-to-instance-profile --role-name my-role --instance-profile-name my-instance-profile
The aws ec2 associate-iam-instance-profile command can be used to associate the instance profile with your EC2 instance.
aws ec2 associate-iam-instance-profile --instance-id i-abc123def456gh789 --iam-instance-profile Name=my-instance-profile
Configure Docker Service with your AWS Access Key and Secret Key
Let's stop Docker.
sudo systemctl stop docker
Create the /etc/systemd/system/docker.service.d directory.
sudo mkdir --parents /etc/systemd/system/docker.service.d
Create the /etc/systemd/system/docker.service.d/override.conf file with the following.
[Service]
Environment="AWS_ACCESS_KEY_ID=<your access key>"
Environment="AWS_SECRET_ACCESS_KEY=<your secret key>"
Reload the system daemons.
sudo systemctl daemon-reload
Start docker.
sudo systemctl start docker
Try again.
sudo docker run --log-driver=awslogs hello-world
Did you find this article helpful?
If so, consider buying me a coffee over at 