When assigning an ECS TaskARN role to provide access to the s3 backend, the Vault container fails on start up with kernel panic:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x66a126]
goroutine 1 [running]:
net/http.(*Client).deadline(0x0, 0xc42000c1e8, 0xc4204e8aa0, 0x1)
#011/goroot/src/net/http/client.go:186 +0x26
net/http.(*Client).Do(0x0, 0xc4204c2900, 0xc4204f8388, 0xc4204f8380, 0xc4204459c0)
#011/goroot/src/net/http/client.go:497 +0x89
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/corehandlers.sendFollowRedirects(0xc4204c5c00, 0x1c18c18, 0xc4204c5c00, 0xc4204c2800)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go:134 +0x3b
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/corehandlers.glob..func3(0xc4204c5c00)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go:126 +0x85
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request.(*HandlerList).Run(0xc4204c5d90, 0xc4204c5c00)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request/handlers.go:195 +0x87
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request.(*Request).Send(0xc4204c5c00, 0x0, 0x0)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request/request.go:480 +0x191
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds.(*Provider).getCredentials(0xc420445d40, 0xc4204e9240, 0x7fc4d9d6a000, 0x0)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go:156 +0x12f
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds.(*Provider).Retrieve(0xc420445d40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fc4d9d1a9c0, ...)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go:114 +0x5e
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials.(*ChainProvider).Retrieve(0xc4204d9d10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x19b8ee0, ...)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials/chain_provider.go:77 +0xc9
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials.(*Credentials).Get(0xc4204a7d40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go:208 +0x13a
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/signer/v4.Signer.signWithBody(0xc4204a7d40, 0x0, 0x27de660, 0xc42000c1b0, 0x10100, 0x1c1c078, 0x0, 0xc4204c2700, 0x27e7320, 0xc4204e9220, ...)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go:338 +0x259
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/signer/v4.signSDKRequestWithCurrTime(0xc4204c5800, 0x1c1c078, 0x0, 0x0, 0x0)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go:472 +0x2f4
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/signer/v4.SignSDKRequest(0xc4204c5800)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go:416 +0x52
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request.(*HandlerList).Run(0xc4204c5970, 0xc4204c5800)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request/handlers.go:195 +0x87
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request.(*Request).Sign(0xc4204c5800, 0x1c18c98, 0xc4204c5800)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request/request.go:337 +0xb0
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request.(*Request).Send(0xc4204c5800, 0x0, 0x0)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/aws/request/request.go:473 +0x13d
github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/service/s3.(*S3).ListObjects(0xc42000c1c0, 0xc420445e00, 0x0, 0x0, 0x0)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/aws/aws-sdk-go/service/s3/api.go:3887 +0x4d
github.com/hashicorp/vault/physical/s3.NewS3Backend(0xc4204d9b00, 0x27f8020, 0xc420445900, 0x2, 0xc42006ac00, 0x1, 0x0)
#011/gopath/src/github.com/hashicorp/vault/physical/s3/s3.go:98 +0x501
github.com/hashicorp/vault/command.(*ServerCommand).Run(0xc420398240, 0xc42000e110, 0x3, 0x3, 0x0)
#011/gopath/src/github.com/hashicorp/vault/command/server.go:215 +0xcf6
github.com/hashicorp/vault/vendor/github.com/mitchellh/cli.(*CLI).Run(0xc420399200, 0xc4204d8e70, 0x27, 0x1c18598)
#011/gopath/src/github.com/hashicorp/vault/vendor/github.com/mitchellh/cli/cli.go:235 +0x2d1
github.com/hashicorp/vault/cli.RunCustom(0xc42000e100, 0x4, 0x4, 0xc4204d8e40, 0x0)
#011/gopath/src/github.com/hashicorp/vault/cli/main.go:44 +0x4ea
github.com/hashicorp/vault/cli.Run(0xc42000e100, 0x4, 0x4, 0xc4200001a0)
#011/gopath/src/github.com/hashicorp/vault/cli/main.go:11 +0x56
main.main()
#011/gopath/src/github.com/hashicorp/vault/main.go:10 +0x64
Removing the ECS TaskARN role fixes the issue, but it would be nice to use IAM permissions assigned to the ECS task definition instead of the EC2 instance.