Skip to content

Docker compose configuration can read the user's AWS credentials #74

New issue
New issue
Open
#75
Open
Docker compose configuration can read the user's AWS credentials#74
#75
@nimasmi

Description

@nimasmi
nimasmi
opened on Sep 12, 2025

In the lines below, there is a volume mount to ~/.aws/ on the host machine, which is the standard location for AWS credentials:

caddy/docker-compose.yaml

Lines 24 to 27 in 4e91ab5

volumes:
- ./model:/app
- /app/.venv # do not clobber installed venv
- ~/.aws/:/root/.aws:ro
,

    volumes:
      - ./model:/app
      - /app/.venv # do not clobber installed venv
      - ~/.aws/:/root/.aws:ro

This is problematic, because:

  • it assumes that the host machine has credentials stored there
  • it assumes that developers would want to use their standard set of AWS credentials, rather than app-specific IAM credentials to work with Caddy (i.e. for least privilege adherence, or cost tracking)
  • the code in the container could get a much higher level of AWS access than it needs

It would be better to set this with environment variables specific to the Docker container.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions