Add support for ECS task roles as an auth mechanism

command/agent/command.go

@@ -20,7 +20,7 @@ import (
 	"github.com/armon/go-metrics/datadog"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
+	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
@@ -410,9 +410,7 @@ func (c *Config) discoverEc2Hosts(logger *log.Logger) ([]string, error) {
 				},
 				&credentials.EnvProvider{},
 				&credentials.SharedCredentialsProvider{},
-				&ec2rolecreds.EC2RoleProvider{
-					Client: ec2meta,
-				},
+				defaults.RemoteCredProvider(*(defaults.Config()), defaults.Handlers()),
 			}),
 	}
 

website/source/docs/agent/options.html.markdown

@@ -201,7 +201,8 @@ will exit with an error at startup.
   - Static credentials (from the config file)
   - Environment variables (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`)
   - Shared credentials file (`~/.aws/credentials` or the path specified by `AWS_SHARED_CREDENTIALS_FILE`)
-  - EC2 Role instance metadata.
+  - ECS task role metadata (container-specific).
+  - EC2 instance role metadata.
 
 * <a name="_retry_join_ec2_tag_value"></a><a href="#_retry_join_ec2_tag_value">`-retry-join-ec2-tag-value`
   </a> - The Amazon EC2 instance tag value to filter on.
@@ -707,7 +708,6 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
   * `access_key_id` - The AWS access key ID to use for authentication.
   * `secret_access_key` - The AWS secret access key to use for authentication.
 
-
 * <a name="retry_interval_wan"></a><a href="#retry_interval_wan">`retry_interval_wan`</a> Equivalent to the
   [`-retry-interval-wan` command-line flag](#_retry_interval_wan).