Add a dynamic role route to ECS server #878
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a new route to
aws-vault exec --ecs-serverto assume role credentials dynamically.The ECS server now responds to requests on
/role-arn/YOUR_ROLE_ARNwith the role credentials, making it usable with theAWS_CONTAINER_CREDENTIALS_FULL_URIorAWS_CONTAINER_CREDENTIALS_RELATIVE_URIenvironmentvariables. These environment variables are used by the AWS SDKs as part of the default credential provider chain.
The major use-case for this are applications that may wish to assume a role dynamically, without the role specified in the aws config file.
In particular, this is designed to allow aws-vault to run on your local host while docker images access role credentials dynamically. This is achieved via a reverse-proxy container (started with
aws-vault exec --ecs-server --lazy PROFILE -- docker-compose up ...) using the default ECS IP address169.254.170.2. Docker containers no longer need AWS keys at all - instead they can specify the role they want to assume withAWS_CONTAINER_CREDENTIALS_RELATIVE_URI.This use-case is similar to the goal of amazon-ecs-local-container-endpoints, however the difference here is that the long-lived AWS credentials are getting sourced from your keychain via aws-vault.
A
--lazyflag has also been added so that credentials are only retrieved when a request is actually made to the server.