inject AWS_REGION and AWS_DEFAULT_REGION into task containers

Inject the instance region into normal container environments so the AWS SDK
can resolve the correct region without explicit task definition configuration.

Injection is skipped if either var is already set in the task definition,
environment files, or container image. The precedence order is:
task definition > environment files > container image > instance default.

Environment file vars are merged into container.Environment before the region
injection runs.

Author: ShelbyZ

agent/api/task/task.go

@@ -82,6 +82,10 @@ const (
 	// credentials.
 	awsSDKCredentialsRelativeURIPathEnvironmentVariableName = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 
+	// awsRegionEnvVar and awsDefaultRegionEnvVar are the standard AWS SDK region env vars.
+	awsRegionEnvVar        = "AWS_REGION"
+	awsDefaultRegionEnvVar = "AWS_DEFAULT_REGION"
+
 	NvidiaVisibleDevicesEnvVar = "NVIDIA_VISIBLE_DEVICES"
 	GPUAssociationType         = "gpu"
 
@@ -1024,6 +1028,38 @@ func (task *Task) initializeCredentialsEndpoint(credentialsManager credentials.M
 	task.SetCredentialsRelativeURI(credentialsEndpointRelativeURI)
 }
 
+// ApplyRegionToContainer injects AWS_REGION and AWS_DEFAULT_REGION into the
+// container environment. Injection is skipped if either var is already set in
+// the task definition, environment files, or container image.
+func (task *Task) ApplyRegionToContainer(container *apicontainer.Container, region string, imageManagedEnvKeys map[string]bool) {
+	if region == "" {
+		return
+	}
+	if container.IsInternal() {
+		// Internal containers (pause, SC relay, managed daemons) do not receive injected env vars.
+		return
+	}
+
+	// Skip if the customer set either var in the task definition or environment files.
+	// Environment file vars are merged into container.Environment.
+	_, hasRegion := container.Environment[awsRegionEnvVar]
+	_, hasDefaultRegion := container.Environment[awsDefaultRegionEnvVar]
+	if hasRegion || hasDefaultRegion {
+		return
+	}
+
+	// Skip if the image already has a region preference (e.g. Dockerfile ENV).
+	if imageManagedEnvKeys[awsRegionEnvVar] || imageManagedEnvKeys[awsDefaultRegionEnvVar] {
+		return
+	}
+
+	if container.Environment == nil {
+		container.Environment = make(map[string]string)
+	}
+	container.Environment[awsRegionEnvVar] = region
+	container.Environment[awsDefaultRegionEnvVar] = region
+}
+
 // initializeContainersV3MetadataEndpoint generates a v3 endpoint id for each container, constructs the
 // v3 metadata endpoint, and injects it as an environment variable
 func (task *Task) initializeContainersV3MetadataEndpoint(uuidProvider utils.UUIDProvider) {

agent/api/task/task_test.go

@@ -1406,6 +1406,104 @@ func TestInitializeContainersV1AgentAPIEndpoint(t *testing.T) {
 	}
 }
 
+func TestApplyRegionToContainerPrecedence(t *testing.T) {
+	tests := []struct {
+		name           string
+		containerType  apicontainer.ContainerType
+		taskDefEnvs    map[string]string
+		imageEnvKeys   map[string]bool
+		instanceRegion string
+		wantRegion     string // expected AWS_REGION ("" = not injected)
+		wantDefaultReg string // expected AWS_DEFAULT_REGION ("" = not injected)
+	}{
+		{
+			name:           "no overrides — inject both vars",
+			instanceRegion: "us-west-2",
+			wantRegion:     "us-west-2",
+			wantDefaultReg: "us-west-2",
+		},
+		{
+			name:           "nil image region keys — injection still proceeds",
+			instanceRegion: "us-west-2",
+			wantRegion:     "us-west-2",
+			wantDefaultReg: "us-west-2",
+		},
+		{
+			name:           "empty region — nothing injected",
+			instanceRegion: "",
+			wantRegion:     "",
+			wantDefaultReg: "",
+		},
+		{
+			name:           "internal container (CNI pause) — skip injection",
+			containerType:  apicontainer.ContainerCNIPause,
+			instanceRegion: "us-west-2",
+			wantRegion:     "",
+			wantDefaultReg: "",
+		},
+		{
+			// Image already has AWS_REGION: neither var is injected (both would be or neither).
+			name:           "image has AWS_REGION — no injection",
+			imageEnvKeys:   map[string]bool{awsRegionEnvVar: true},
+			instanceRegion: "us-west-2",
+			wantRegion:     "",
+			wantDefaultReg: "",
+		},
+		{
+			// Image already has AWS_DEFAULT_REGION: neither var is injected.
+			name:           "image has AWS_DEFAULT_REGION — no injection",
+			imageEnvKeys:   map[string]bool{awsDefaultRegionEnvVar: true},
+			instanceRegion: "us-west-2",
+			wantRegion:     "",
+			wantDefaultReg: "",
+		},
+		{
+			// Task def already has AWS_REGION: injection skipped, task def value preserved,
+			// AWS_DEFAULT_REGION is not added.
+			name:           "task definition has AWS_REGION — no injection, task def value preserved",
+			taskDefEnvs:    map[string]string{awsRegionEnvVar: "eu-west-1"},
+			instanceRegion: "us-west-2",
+			wantRegion:     "eu-west-1",
+			wantDefaultReg: "",
+		},
+		{
+			// Task def already has AWS_DEFAULT_REGION: injection skipped, task def value
+			// preserved, AWS_REGION is not added.
+			name:           "task definition has AWS_DEFAULT_REGION — no injection, task def value preserved",
+			taskDefEnvs:    map[string]string{awsDefaultRegionEnvVar: "ap-southeast-1"},
+			instanceRegion: "us-west-2",
+			wantRegion:     "",
+			wantDefaultReg: "ap-southeast-1",
+		},
+		{
+			// Task def check runs before image check: one var in task def suppresses
+			// injection entirely, so the other var from the image is also not applied.
+			name:           "task definition has AWS_REGION, image has AWS_DEFAULT_REGION — no injection",
+			taskDefEnvs:    map[string]string{awsRegionEnvVar: "eu-west-1"},
+			imageEnvKeys:   map[string]bool{awsDefaultRegionEnvVar: true},
+			instanceRegion: "us-west-2",
+			wantRegion:     "eu-west-1",
+			wantDefaultReg: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			container := &apicontainer.Container{
+				Name:        "app",
+				Type:        tt.containerType,
+				Environment: tt.taskDefEnvs,
+			}
+			task := Task{Containers: []*apicontainer.Container{container}}
+
+			task.ApplyRegionToContainer(container, tt.instanceRegion, tt.imageEnvKeys)
+
+			assert.Equal(t, tt.wantRegion, container.Environment[awsRegionEnvVar])
+			assert.Equal(t, tt.wantDefaultReg, container.Environment[awsDefaultRegionEnvVar])
+		})
+	}
+}
+
 func TestPostUnmarshalTaskWithLocalVolumes(t *testing.T) {
 	// Constants used here are defined in task_unix_test.go and task_windows_test.go
 	taskFromACS := ecsacs.Task{

agent/engine/common_testutil.go

@@ -191,7 +191,7 @@ func validateContainerRunWorkflow(t *testing.T,
 	client.EXPECT().
 		TagImage(gomock.Any(), canonicalImageRef.String(), container.Image).Return(nil)
 	imageManager.EXPECT().RecordContainerReference(container).Return(nil)
-	imageManager.EXPECT().GetImageStateFromImageName(gomock.Any()).Return(nil, false)
+	imageManager.EXPECT().GetImageStateFromImageName(gomock.Any()).Return(nil, false).AnyTimes()
 	client.EXPECT().APIVersion().Return(defaultDockerClientAPIVersion, nil)
 	dockerConfig, err := task.DockerConfig(container, defaultDockerClientAPIVersion)
 	if err != nil {

agent/engine/docker_image_manager.go

@@ -139,7 +139,7 @@ func (imageManager *dockerImageManager) RecordContainerReference(container *apic
 	// On agent restart, container ID was retrieved from agent state file
 	// TODO add setter and getter for modifying this
 	if container.ImageID != "" {
-		if !imageManager.addContainerReferenceToExistingImageState(container) {
+		if !imageManager.addContainerReferenceToExistingImageState(container, nil) {
 			return fmt.Errorf("Failed to add container to existing image state")
 		}
 		return nil
@@ -164,9 +164,14 @@ func (imageManager *dockerImageManager) RecordContainerReference(container *apic
 		imageDigest := imageManager.fetchRepoDigest(imageInspected, container)
 		container.SetImageDigest(imageDigest)
 	}
-	added := imageManager.addContainerReferenceToExistingImageState(container)
+	// Capture managed image env keys for use at container create time.
+	var managedEnvKeys map[string]bool
+	if imageInspected.Config != nil {
+		managedEnvKeys = image.ParseManagedEnvKeys(imageInspected.Config.Env)
+	}
+	added := imageManager.addContainerReferenceToExistingImageState(container, managedEnvKeys)
 	if !added {
-		imageManager.addContainerReferenceToNewImageState(container, imageInspected.Size)
+		imageManager.addContainerReferenceToNewImageState(container, imageInspected.Size, managedEnvKeys)
 	}
 	return nil
 }
@@ -191,20 +196,24 @@ func (imageManager *dockerImageManager) fetchRepoDigest(imageInspected *types.Im
 	return resultRepoDigest
 }
 
-func (imageManager *dockerImageManager) addContainerReferenceToExistingImageState(container *apicontainer.Container) bool {
+func (imageManager *dockerImageManager) addContainerReferenceToExistingImageState(container *apicontainer.Container, managedEnvKeys map[string]bool) bool {
 	// this lock is used for reading the image states in the image manager
 	imageManager.updateLock.RLock()
 	defer imageManager.updateLock.RUnlock()
 	imageManager.removeExistingImageNameOfDifferentID(container.Image, container.ImageID)
 	imageState, ok := imageManager.getImageState(container.ImageID)
 	if ok {
 		imageState.UpdateImageState(container)
+		if managedEnvKeys != nil {
+			// nil on restart (no inspect); preserves persisted value.
+			imageState.SetManagedEnvKeys(managedEnvKeys)
+		}
 		imageManager.saveImageStateData(imageState)
 	}
 	return ok
 }
 
-func (imageManager *dockerImageManager) addContainerReferenceToNewImageState(container *apicontainer.Container, imageSize int64) {
+func (imageManager *dockerImageManager) addContainerReferenceToNewImageState(container *apicontainer.Container, imageSize int64, managedEnvKeys map[string]bool) {
 	// this lock is used while creating and adding new image state to image manager
 	imageManager.updateLock.Lock()
 	defer imageManager.updateLock.Unlock()
@@ -213,16 +222,20 @@ func (imageManager *dockerImageManager) addContainerReferenceToNewImageState(con
 	imageState, ok := imageManager.getImageState(container.ImageID)
 	if ok {
 		imageState.UpdateImageState(container)
+		if managedEnvKeys != nil {
+			imageState.SetManagedEnvKeys(managedEnvKeys)
+		}
 		imageManager.saveImageStateData(imageState)
 	} else {
 		sourceImage := &image.Image{
 			ImageID: container.ImageID,
 			Size:    imageSize,
 		}
 		sourceImageState := &image.ImageState{
-			Image:      sourceImage,
-			PulledAt:   time.Now(),
-			LastUsedAt: time.Now(),
+			Image:          sourceImage,
+			PulledAt:       time.Now(),
+			LastUsedAt:     time.Now(),
+			ManagedEnvKeys: managedEnvKeys,
 		}
 		sourceImageState.UpdateImageState(container)
 		imageManager.addImageState(sourceImageState)

agent/engine/docker_image_manager_data_test.go

@@ -67,7 +67,7 @@ func TestAddContainerReferenceToNewImageStateSaveData(t *testing.T) {
 		dataClient: dataClient,
 	}
 
-	imageManager.addContainerReferenceToNewImageState(testContainerData, 0)
+	imageManager.addContainerReferenceToNewImageState(testContainerData, 0, nil)
 	imageStates, err := dataClient.GetImageStates()
 	assert.NoError(t, err)
 	assert.Len(t, imageStates, 1)
@@ -80,7 +80,7 @@ func TestAddContainerReferenceToExistingImageStateSaveData(t *testing.T) {
 		dataClient: dataClient,
 	}
 	imageManager.imageStates = append(imageManager.imageStates, testImageStateData)
-	imageManager.addContainerReferenceToExistingImageState(testContainerData)
+	imageManager.addContainerReferenceToExistingImageState(testContainerData, nil)
 	imageStates, err := dataClient.GetImageStates()
 	assert.NoError(t, err)
 	assert.Len(t, imageStates, 1)

agent/engine/docker_image_manager_test.go

@@ -35,6 +35,7 @@ import (
 	ec2testutil "github.com/aws/amazon-ecs-agent/agent/utils/test/ec2util"
 
 	"github.com/docker/docker/api/types"
+	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -192,6 +193,90 @@ func TestRecordContainerReferenceInspectError(t *testing.T) {
 	}
 }
 
+func TestRecordContainerReferenceStoresManagedEnvKeysOnImageState(t *testing.T) {
+	envVars := []string{"PATH=/usr/local/bin", "AWS_DEFAULT_REGION=us-east-1"}
+	tests := []struct {
+		name        string
+		config      *dockercontainer.Config
+		wantEnvKeys map[string]bool
+	}{
+		{
+			name:        "image config with region env var — key stored on image state",
+			config:      &dockercontainer.Config{Env: envVars},
+			wantEnvKeys: map[string]bool{"AWS_DEFAULT_REGION": true},
+		},
+		{
+			name:        "nil image config — ManagedEnvKeys nil on image state",
+			config:      nil,
+			wantEnvKeys: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			client := mock_dockerapi.NewMockDockerClient(ctrl)
+
+			imageManager := NewImageManager(defaultTestConfig(), client, dockerstate.NewTaskEngineState())
+			imageManager.SetDataClient(data.NewNoopClient())
+
+			container := &apicontainer.Container{
+				Name:  "testContainer",
+				Image: "testContainerImage",
+			}
+			client.EXPECT().InspectImage(container.Image).Return(&types.ImageInspect{
+				ID:     "sha256:qwerty",
+				Config: tt.config,
+			}, nil)
+
+			err := imageManager.RecordContainerReference(container)
+			assert.NoError(t, err)
+
+			imageState, ok := imageManager.GetImageStateFromImageName(container.Image)
+			assert.True(t, ok)
+			assert.Equal(t, tt.wantEnvKeys, imageState.GetManagedEnvKeys())
+		})
+	}
+}
+
+// TestRecordContainerReferencePreservesManagedEnvKeysOnRestart verifies that when a container
+// already has an ImageID set (e.g. on agent restart from saved state), RecordContainerReference
+// does not re-inspect the image — the ManagedEnvKeys are already persisted on ImageState.
+func TestRecordContainerReferencePreservesManagedEnvKeysOnRestart(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	client := mock_dockerapi.NewMockDockerClient(ctrl)
+
+	imageManager := NewImageManager(defaultTestConfig(), client, dockerstate.NewTaskEngineState())
+	imageManager.SetDataClient(data.NewNoopClient())
+
+	const imageID = "sha256:qwerty"
+	existingKeys := map[string]bool{"AWS_DEFAULT_REGION": true}
+
+	// Seed the image state with persisted ManagedEnvKeys (as if loaded from state file).
+	sourceImageState := &image.ImageState{
+		Image:          &image.Image{ImageID: imageID},
+		ManagedEnvKeys: existingKeys,
+	}
+	imageManager.(*dockerImageManager).addImageState(sourceImageState)
+
+	container := &apicontainer.Container{
+		Name:    "testContainer",
+		Image:   "testContainerImage",
+		ImageID: imageID, // pre-populated, as it would be after agent restart
+	}
+
+	// No InspectImage call expected — keys are already persisted.
+	err := imageManager.RecordContainerReference(container)
+	assert.NoError(t, err)
+
+	// Verify the keys are still on the image state.
+	imageState, ok := imageManager.GetImageStateFromImageName(container.Image)
+	assert.True(t, ok)
+	assert.Equal(t, existingKeys, imageState.GetManagedEnvKeys())
+}
+
 func TestRecordContainerReferenceWithNoImageName(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -282,7 +367,7 @@ func TestAddContainerReferenceToExistingImageState(t *testing.T) {
 	sourceImageState1.AddImageName("testContainerImage")
 	imageManager.addImageState(sourceImageState)
 	imageManager.addImageState(sourceImageState1)
-	if !imageManager.addContainerReferenceToExistingImageState(container) {
+	if !imageManager.addContainerReferenceToExistingImageState(container, nil) {
 		t.Error("Error in adding container to an already existing image state")
 	}
 	if !reflect.DeepEqual(sourceImageState.Containers[0], container) {
@@ -371,7 +456,7 @@ func TestAddContainerReferenceToExistingImageStateNoState(t *testing.T) {
 		Image:   "testContainerImage",
 		ImageID: "sha256:qwerty",
 	}
-	if imageManager.addContainerReferenceToExistingImageState(container) {
+	if imageManager.addContainerReferenceToExistingImageState(container, nil) {
 		t.Error("Error adding container to an incorrect existing image state")
 	}
 }
@@ -390,7 +475,7 @@ func TestAddContainerReferenceToNewImageState(t *testing.T) {
 		Image:   "testContainerImage",
 		ImageID: imageID,
 	}
-	imageManager.addContainerReferenceToNewImageState(container, imageSize)
+	imageManager.addContainerReferenceToNewImageState(container, imageSize, nil)
 	_, ok := imageManager.getImageState(imageID)
 	if !ok {
 		t.Error("Error adding container reference to new image state")
@@ -426,7 +511,7 @@ func TestAddContainerReferenceToNewImageStateAddedState(t *testing.T) {
 	sourceImageState1.AddImageName("testContainerImage")
 	imageManager.addImageState(sourceImageState)
 	imageManager.addImageState(sourceImageState1)
-	imageManager.addContainerReferenceToNewImageState(container, imageSize)
+	imageManager.addContainerReferenceToNewImageState(container, imageSize, nil)
 	if !reflect.DeepEqual(sourceImageState.Containers[0], container) {
 		t.Error("Incorrect container added to an already existing image state")
 	}