hashicorp · radeksimko · Sep 11, 2017 · Aug 15, 2017 · Aug 15, 2017
diff --git a/aws/auth_helpers.go b/aws/auth_helpers.go
@@ -13,6 +13,7 @@ import (
 	awsCredentials "github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/iam"
@@ -108,7 +109,7 @@ func parseAccountInfoFromArn(arn string) (string, string, error) {
 // environment in the case that they're not explicitly specified
 // in the Terraform configuration.
 func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
-	// build a chain provider, lazy-evaulated by aws-sdk
+	// build a chain provider, lazy-evaluated by aws-sdk
 	providers := []awsCredentials.Provider{
 		&awsCredentials.StaticProvider{Value: awsCredentials.Value{
 			AccessKeyID:     c.AccessKey,
@@ -149,6 +150,12 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
 	}
 	usedEndpoint := setOptionalEndpoint(cfg)
 
+	// Add the default AWS provider for ECS Task Roles if the relevant env variable is set
+	if uri := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"); len(uri) > 0 {
+		providers = append(providers, defaults.RemoteCredProvider(*cfg, defaults.Handlers()))
+		log.Print("[INFO] ECS container credentials detected, RemoteCredProvider added to auth chain")
+	}
+
 	if !c.SkipMetadataApiCheck {
 		// Real AWS should reply to a simple metadata request.
 		// We check it actually does to ensure something else didn't just

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -101,6 +101,13 @@ provider "aws" {
 }
 ```
 
+### ECS and CodeBuild Task Roles
+
+If you're running Terraform on ECS or CodeBuild and you have configured an [IAM Task Role](http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html),
+Terraform will use the container's Task Role. Terraform looks for the presence of the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`
+environment variable that AWS injects when a Task Role is configured. If you have not defined a Task Role for your container
+or CodeBuild job, Terraform will continue to use the [EC2 Role](#ec2-role).
+
 ### EC2 Role
 
 If you're running Terraform from an EC2 instance with IAM Instance Profile
@@ -112,7 +119,7 @@ This is a preferred approach over any other when running in EC2 as you can avoid
 hard coding credentials. Instead these are leased on-the-fly by Terraform
 which reduces the chance of leakage.
 
-You can provide the custom metadata API endpoint via the `AWS_METADATA_ENDPOINT` variable
+You can provide the custom metadata API endpoint via the `AWS_METADATA_URL` variable
 which expects the endpoint URL, including the version, and defaults to `http://169.254.169.254:80/latest`.
 
 The default deadline for the EC2 metadata API endpoint is 100 milliseconds,