Use AWS Credentials in a Dev Containers

Securely inject your AWS credentials into ephemeral dev containers

Aug 05, 2025

A modern solution to an age-old problem of development workflow; "...but it works on my machine"; is to leverage Development Containers. Dev containers allow anyone to replicate the development environment and the workflow without setting up project-specific tools on their host machine.

While dev containers are easily reproducible, they are ephemeral in nature. Which means, if you recreate the dev container, all your configurations will be lost. You could automate the installation of the tools using postCreateCommand, but you have to reconfigure it yourself.

The solution to managing configurations is to create scripts that can bootstrap dev containers and manage your dotfiles. But you cannot do it for sensitive information like AWS credentials. You can't sync it to your remote Git repository. Thus, the question remains: how to use AWS credentials in a dev container?

Bind mounts to the rescue

Dev container, at the end of the day, is still a container. Therefore, you can use a bind mount to link the directory and the files that contain AWS credentials configurations (a.k.a. the .aws directory).

Add the following key-value pair to the devcontainer.json file to bind mount the local .aws directory to dev container.

// .devcontainer/devcontainer.json
{
    ...
    "mounts": [
        "source=${env:USERPROFILE}/.aws,target=/home/vscode/.aws,type=bind"
    ]
}

Let's understand what this entry will do. In devcontainer.json we have mounts property which, by default, is unset. It can be a string (as shown above) or an array of objects (as shown below). Either way, it will bind a local directory to dev container along with all its files and sub-directories.

// .devcontainer/devcontainer.json
{
    ...
    "mounts": [
        {
            "source": "${env:USERPROFILE}/.aws",
            "target": "/home/vscode/.aws",
            "type": "bind"
        }
    ]
}

In source, we are using ${env:USERPROFILE} to dynamically point to the current local user's home directory. This is one of many pre-defined variables available in dev containers.

In target, you might notice that we are using the vscode user. According to Microsoft in Base Development Container Images, a non-root vscode user with sudo access is created by default in the image. So, it doesn't matter which IDE we use for development work, it shouldn't throw any error.

See It in Action

Want to see how this works in a real-world project?

Check out my GitHub repo awsbreaker, a CLI tool for working with AWS accounts, built to run inside a dev container. It uses the exact method discussed above to securely bind local AWS credentials into the containerized environment.

Explore the setup, fork the project, and try it out for yourself!

Code to Clusters

Discussion about this post