Docker containers seem to 'inherit' the instance profile of the host ec2. How?

Question

We have a docker container running on an ec2 host. Within that docker container we run some aws cli commands. We haven\'t defined any AWS credentials within the container. This

Answer 1

That's correct, the credentials are of the host machine. It gets them from the metadata endpoint, as you suspected.

One solution/workaround to give narrower access is ec2metadataproxy. I haven't used it yet.

The security group access is based on the host container too, unfortunately.