Feature Request: Add support for AWS IAM roles (ECS Task Role / EC2 Instance Profile) for SQS authentication

[moltar]

Feature Request: Add support for AWS IAM roles (ECS Task Role / EC2 Instance Profile) for SQS authentication

Description

Currently, Outpost requires explicit AWS credentials (AWS_SQS_ACCESS_KEY_ID and AWS_SQS_SECRET_ACCESS_KEY) for SQS authentication. This prevents the use of AWS IAM roles, which is the recommended security practice for applications running on AWS infrastructure like ECS, EC2, or Lambda.

Current Behavior

When running Outpost on ECS Fargate without explicit credentials, the service fails with:

config validation error: message queue configuration is required

Looking at the source code in internal/config/mqconfig_aws.go, the IsConfigured() method requires non-empty credentials:

func (c *AWSSQSConfig) IsConfigured() bool {
    return c.AccessKeyID != "" && c.SecretAccessKey != "" && c.Region != ""
}

Expected Behavior

Outpost should support AWS IAM roles by:

1. Detecting when running in an AWS environment with IAM roles available
2. Using the AWS SDK's default credential provider chain
3. Only requiring the region when IAM roles are available

Use Case

Many organizations follow AWS security best practices by:

• Using IAM roles instead of long-lived access keys
• Running containerized workloads on ECS with task roles
• Deploying on EC2 instances with instance profiles
• Following the principle of least privilege

Currently, we have to create IAM users with access keys specifically for Outpost, which:

• Goes against security best practices
• Requires additional secret management
• Increases the attack surface
• Makes credential rotation more complex

Proposed Solution

Modify the IsConfigured() method to support IAM roles:

func (c *AWSSQSConfig) IsConfigured() bool {
    // Check if running with IAM role credentials
    if hasIAMRoleCredentials() {
        return c.Region != ""
    }
    // Fall back to explicit credentials
    return c.AccessKeyID != "" && c.SecretAccessKey != "" && c.Region != ""
}

func hasIAMRoleCredentials() bool {
    // ECS Task Role
    if os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") != "" {
        return true
    }
    // EC2 Instance Profile
    if os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI") != "" {
        return true
    }
    // Lambda or other AWS services
    if os.Getenv("AWS_EXECUTION_ENV") != "" {
        return true
    }
    return false
}

The AWS SDK for Go already handles credential resolution automatically through its default credential provider chain, so the SQS client initialization should work without explicit credentials when IAM roles are available.

Environment

• Outpost version: v0.4.1
• Deployment platform: AWS ECS Fargate
• AWS SDK: Already included in Outpost

Additional Context

This feature would align Outpost with AWS best practices and make it easier to deploy in production environments. Many similar tools (e.g., Fluent Bit, Prometheus, etc.) support IAM roles out of the box.

Workarounds

Current workarounds include:

1. Creating IAM users with access keys (security anti-pattern)
2. Using a sidecar container to provide credentials
3. Forking Outpost to add IAM role support

None of these are ideal for production use.

References

• AWS IAM Roles for Tasks
• AWS SDK for Go - Configuring Credentials
• AWS Security Best Practices

[obazoud]

Any news of this one ?
The current access/secret key system isn’t ideal.
FYI on my Outpost instance, I actually removed all the code of access/secret key to be able to use roles.

[moltar]

Any news of this one ?
The current access/secret key system isn’t ideal.
FYI on my Outpost instance, I actually removed all the code of access/secret key to be able to use roles.

Why not PR it here? 😀