Unable to use implicit IAM/role-based auth when using Boto3 inside Docker on EC2

[ethagnawl]

I've run into a frustrating edge case that I'm now having to either introduce custom logic to work around or solve properly.

I'm running a Django application inside a Docker container on EC2. I'm using an IAM role attached to the instance to grant it access to a particular S3 bucket and set of actions. This is all working well and I can confirm that Boto3 can authenticate using the IAM role and access the bucket as expected when Python is run directly on the instance.

However, when Python is running inside a Docker container on the same instance, Boto3 is unable to use that same implicit authentication strategy. I have configured the EC2 instance to use IMDSV2, required token auth and increased the allowed number of hops (currently 63 while I'm messing with this but ideally 2-3). What's particularly odd is that I'm able to access the IMDSV2 endpoint and manually request a token from within the container using Curl or within Python using Requests and thread the token through to Boto and access the S3 bucket as desired.

The downside to manually fetching the token is that I need to implement my own caching/session refresh strategy or suffer the runtime burden of constantly requesting a new token. It's also not entirely clear to me when the Boto3 session expires: is it when the IMDVS2 token expires or at some other arbitrary point?

So, before I implement a cache/retry strategy of my own, is there something obvious I'm missing here which should enable this all to work?

I'm using Boto3 1.34.146, Docker 27 and Docker Compose 2.29.1 and running on Ubuntu 22.04.3. Happy to provide any additional context or specifics.

Thanks!

[ethagnawl]

I will confirm and close at a later point but I'm all but certain this behavior was a result of empty values for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY existing in the Docker container.