AWS ECS volume permission denied when using non-root Dockerfile

Using the Least Privileged User (and definitely a non-root user) is one of the best practices when working with Dockerfiles. By default, when a Dockerfile does not specify a user, it uses a root user which is almost never a good idea. However, sometimes using non-root users may introduce some hard-to-understand and resolve problems. If you are trying to use AWS ECS fargate non-root containers that have to write to the bind mounts and are seeing the “PermissionError: [Errno 13] Permission denied” error – this is how to solve it.

See for example a dockerfile from this post:

When I tried running the above-linked Dockerfile in aws ECS environment and mounting volume to /out directory -> I’ve ran into this error:

PermissionError: [Errno 13] Permission denied: '/out/r18-7-march-2023'

What didn’t help:

  • Adding gid/uid that matches our Dockerfile (user: "1000:1000") in my ecs task definition -> didn’t do anything at all.
  • Pre-creating the /out directory with specific permissions didn’t help either -> mount directory was still coming up as owned by root (uid=0, gid=0).

What worked: Explicitly declare the Volume in your docker file:

VOLUME ["/out"]

The Fin. Thanks for reading.

Leave a Comment