IAM角色不适用于golang Docker容器

FYI, I am relatively new to docker but experienced in go and aws.

I am using docker containers to build my golang app (for elastic beanstalk) with golang:1.12.7 as my base image. I use a multistage docker build by building a base image and then copy over my golang binary from scratch to reduce my final image from 1gb to 11 mb.

Everything compiles properly and am able to run the docker image; however, when I use a multistage build, my IAM roles don't work and the docker image cannot connect or retrieve data from my aws services that are defined in my IAM role.

When I build the base image, without scratch, the IAM roles work fine and can retrieve data from aws, but I'm left with a 1gb docker image.

I haven't changed any other aws configurations, networking, security groups, iam roles, etc, other than the differences in the two Dockerfiles below.

# Dockerfile produces image (11mb) but IAM roles don't work:
FROM golang:1.12.7 as builder #golang version
ENV GOPATH="/app" # set new gopath

# setup initial container
RUN mkdir /app
WORKDIR /app/src/appDirectory
COPY ./appDirectory/ /app/src/appDirectory

RUN go get -u github.com/aws/aws-sdk-go # get go dependencies

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o appDirectory # compile to binary

# create new container from scratch to reduce size of image
FROM scratch
COPY --from=builder /app/src/appDirectory /app/

ENTRYPOINT ["/app/appDirectory"]
# Dockerfile produces image (1gb) and IAM roles work:
FROM golang:1.12.7 as builder #golang version

ENV GOPATH="/app" # set new gopath

# setup initial container
RUN mkdir /app
WORKDIR /app/src/appDirectory
COPY ./appDirectory/ /app/src/appDirectory

RUN go get -u github.com/aws/aws-sdk-go # get go dependencies

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o appDirectory # compile to binary

ENTRYPOINT ["./appDirectory"]

My assumption is that something's not copied over from the base docker image that's keeping the IAM roles from working, but I haven't figured out why that is.

Also, I would prefer to use IAM roles over programmatic access keys for several reasons.

Thank you in advance for any help provided :)

When I copy over the /etc folder from my base image in my docker file COPY --from=builder /etc /etc, the iam role work properly, and the final image only grows to 11.6mb. However, I'm not sure why this works. Could someone please explain.