Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM Permissions in shiny-server - Docker #504

Open
Ada-Nick opened this issue Oct 19, 2021 · 1 comment
Open

AWS IAM Permissions in shiny-server - Docker #504

Ada-Nick opened this issue Oct 19, 2021 · 1 comment

Comments

@Ada-Nick
Copy link

I'm having trouble accessing AWS IAM credentials from within my dockerised shiny-server environment. I'm deploying my shiny server container to ECS but am unable to access services such as s3 despite having the proper IAM permissions.

I can attach a volume to the docker container to manually move the credentials file over:

    volumes:
    - $HOME/.aws/:/home/shiny/.aws/:ro

But this is not practical in production. I can access the IAM credentials when running the app without using shiny-server
by running the docker file like this:

#CMD ["/usr/bin/shiny-server.sh"]
CMD ["R", "-e", "shiny::runApp('/srv/shiny-server/app_name', 3838, host='0.0.0.0')"]

But then I can't run the app on the path I want and it isn't as stable.

How can I access the AWS credentials from within shiny-server?

shiny-server.sh

#!/bin/sh

# Make sure the directory for individual app logs exists
mkdir -p /var/log/shiny-server
chown shiny.shiny /var/log/shiny-server

if [ "$APPLICATION_LOGS_TO_STDOUT" != "false" ];
then
    # push the "real" application logs to stdout with xtail in detached mode
    exec xtail /var/log/shiny-server/ &
fi

# start shiny server
exec shiny-server 2>&1

shiny-server.conf

# Define the user we should use when spawning R Shiny processes
run_as shiny;


# Define a top-level server which will listen on a port
server {
  # Instruct this server to listen on port 80. The app at dokku-alt need expose PORT 80, or 500 e etc. See the docs
  listen 3838;


  # Define the location available at the base URL
  location / {


    # Run this location in 'site_dir' mode, which hosts the entire directory
    # tree at '/srv/shiny-server/app'
    site_dir /srv/shiny-server/app;
    
    # Define where we should put the log files for this location
    log_dir /var/log/shiny-server;
    
    # Should we list the contents of a (non-Shiny-App) directory when the user 
    # visits the corresponding URL?
    directory_index on;
  }

Dockerfile

FROM rocker/shiny-verse:latest

# system libraries of general use
RUN apt-get update && apt-get install -y \
    ....
RUN apt-get update

# Install R packages that are required
# TODO: add further package if you need!

RUN ["install2.r", "paws", "...", ...]

RUN rm -r /srv/shiny-server/*

COPY shiny-server.sh /usr/bin/shiny-server.sh

# copy the app to the image
RUN mkdir /srv/shiny-server/my_app
COPY ./my_app /srv/shiny-server/my_app/

# select port
EXPOSE 3838

# run app
CMD ["/usr/bin/shiny-server.sh"]
@jcheng5
Copy link
Member

jcheng5 commented Oct 19, 2021

When running on ECS, does your container have one or both of the following environment variables?

  • AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
  • AWS_CONTAINER_CREDENTIALS_FULL_URI

If so, I think if we add a way for you to specify that Shiny Server should pass through those environment variables to the R process, that might do the trick. (See also #409)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcheng5 @Ada-Nick