Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ECS server #556

Merged
merged 6 commits into from
Apr 19, 2020
Merged

Add ECS server #556

merged 6 commits into from
Apr 19, 2020

Conversation

mtibben
Copy link
Member

@mtibben mtibben commented Apr 18, 2020

Rebases #375

AWS SDKs universally support the ECS Credential Service, which supports
reading the service URI from environment variables.

Providing an http interface allows the subprocess to refresh credentials
as long as the master credentials session is valid.

Supporting the ECS Credential provider offers the following advantages
over the EC2 Metadata provider:

  • Binding to a random, ephimeral port
    • Does not require adminstrator privileges
    • Allows multiple providers simultaneously for discrete processes
    • Partially mitigates the security issues that accompany the EC2
      Metadata Service because the address is not well-known
  • Requiring an Authorization token further mitigates the potential for
    another process to access the credentials, since the Authorization
    token is only exposed to the subprocess via environment variables

mtibben and others added 3 commits April 18, 2020 23:50
@mtibben
Fix naming
3199e09
@jstewmon @mtibben
support ECS Credential Provider with exec --ecs-server
6d5ef5d 
AWS SDKs universally support the ECS Credential Service, which supports
reading the service URI from environment variables.

Providing an http interface allows the subprocess to refresh credentials
as long as the master credentials session is valid.

Supporting the ECS Credential provider offers the following advantages
over the EC2 Metadata provider:

- Binding to a random, ephimeral port
  - Does not require adminstrator privileges
  - Allows multiple providers simultaneously for discrete processes
  - Partially mitigates the security issues that accompany the EC2
    Metadata Service because the address is not well-known
- Requiring an Authorization token further mitigates the potential for
  another process to access the credentials, since the Authorization
  token is only exposed to the subprocess via environment variables
@mtibben
Refactor ECS server
c95bb48
@mtibben mtibben mentioned this pull request Apr 18, 2020
Closed
@mtibben mtibben merged commit ec402aa into master Apr 19, 2020
@mtibben mtibben deleted the ecs-server-2 branch April 19, 2020 03:50
@mtibben
Copy link
Member Author

mtibben commented Apr 19, 2020

Thank you @jstewmon, this is way better than the current ec2 server. Next question, should we make --ecs-server the default, and how should we role that out?

@mtibben mtibben added this to the v6 milestone Apr 30, 2020
@mtibben mtibben mentioned this pull request Apr 30, 2020
Closed
@mtibben mtibben added the server label Jun 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
server
Projects
None yet
Milestone
v6
Development

Successfully merging this pull request may close these issues.
2 participants
@mtibben @jstewmon