Using the Least Privileged User (and definitely a non-root user) is one of the best practices when working with Dockerfiles. By default, when a Dockerfile does not specify a user, it uses a root user which is almost never a good idea. However, sometimes using non-root users may introduce some hard-to-understand and resolve problems. If you are trying to use AWS ECS fargate non-root containers that have to write to the bind mounts and are seeing the “PermissionError: [Errno 13] Permission denied” error – this is how to solve it.
See for example a dockerfile from this post:
When I tried running the above-linked Dockerfile in aws ECS environment and mounting volume to /out directory -> I’ve ran into this error:
PermissionError: [Errno 13] Permission denied: '/out/r18-7-march-2023'
What didn’t help:
- Adding gid/uid that matches our Dockerfile (
user: "1000:1000") in my ecs task definition -> didn’t do anything at all. - Pre-creating the
/outdirectory with specific permissions didn’t help either -> mount directory was still coming up as owned by root (uid=0, gid=0).
What worked: Explicitly declare the Volume in your docker file:
VOLUME ["/out"]
The Fin. Thanks for reading.