Securing AWS credentials on Mesos workers

[Ed Ropple <er...@leaf.me>]

Howdy, folks! Looking to roll out our first Mesos cluster into a production
environment soonish, but running into an issue around AWS credentialing
that hopefully somebody's solved in a nice and secure way. We'd like to
support a 1:1 mapping between our containers and our IAM policy holders
(ideally roles, but users with keys if we have to) in a way that *doesn't*
allow for an owned container to impersonate whatever's granting access on
the system, i.e. if application A is owned it shouldn't be able to forge a
method of accessing application B's credentials.

Does this already exist? Can anyone point me in the right direction on it,
or on how it'd be doable if it doesn't? (I'm not against building and
open-sourcing a thing with some guidance.)

(Note: obviously Amazon's ECS does this, but we'd rather not use that at
this time. And the ECS/Mesos bridges I've seen aren't prod-ready.)

Thanks very much!

-Ed