Dynamic AWS Credentials in Langgraph Studio Docker Container

[codekiln]

Problem Statement

In Langgraph Studio Issue #86, @austinmw asked:

How can I pass AWS temporary credentials to the Docker image that is built?

While @dqbd suggested the following approach:

You can prepend additional Dockerfile instructions via Project Settings > Show Advanced > Dockerfile lines or by specifying these lines in langgraph.json > dockerfile_lines.

This suggestion raises a significant concern: implementing it seems to require hardcoding the credentials, which is not secure or practical.

Challenges

• To follow @dqbd's suggestion, the credentials must be hardcoded as environment variables in langgraph.json > dockerfile_lines. This approach:
  • Exposes sensitive credentials in plaintext.
  • Requires duplicating credentials managed by the AWS CLI, typically stored in ${HOME}/.aws on the host machine.
  • Risks accidental exposure via version control.

Alternative Approach: Volume Mounts

In traditional Docker setups, AWS credentials can be securely shared with containers using a volume mount in docker-compose.yml:

volumes:
 - ${HOME}/.aws:/root/.aws:ro

This has an additional benefit that the ~/.aws/config file is mapped in, which enabled AWS Profiles to be utilized for brevity, rather than hardcoding additional environment variables like BEDROCK_ASSUME_ROLE.

However, Langgraph Studio does not seem to directly support this approach. While the "Path to an optional docker-compose.yml file for additional services" option exists in Project Settings, it does not apply to the core service itself.

Key Question

How can we dynamically make AWS credentials available in Langgraph Studio without hardcoding them anywhere?

Desired Solution

A secure and flexible method to:

• Use AWS CLI-managed credentials from the host system without duplicating them.
• Avoid exposing credentials in plaintext.
• Ensure compatibility with Langgraph Studio's environment.