From 840fb26c2636ff25b39a3272caf5b179fe73bcee Mon Sep 17 00:00:00 2001 From: Alvin Lin Date: Thu, 10 Mar 2022 21:01:50 -0800 Subject: [PATCH 1/4] Use alpine image because using scratch base image doesn't seem to work with reading AWS CLI profile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b3cbdb5..e3a93b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -o /go/bin/aws-sigv4-proxy -FROM scratch +FROM alpine:latest COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=build /go/bin/aws-sigv4-proxy /go/bin/aws-sigv4-proxy From 0b0fc09a18124bd4378f449b93822e5ea9bb50b7 Mon Sep 17 00:00:00 2001 From: Alvin Lin Date: Thu, 10 Mar 2022 21:04:51 -0800 Subject: [PATCH 2/4] Use alpine image because using scratch base image doesn't seem to work with reading AWS CLI profile --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 82e535a..d144d3f 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ docker run --rm -ti \ docker run --rm -ti \ -v ~/.aws:/root/.aws \ -p 8080:8080 \ + -e 'AWS_SDK_LOAD_CONFIG=true' \ -e 'AWS_PROFILE=' \ aws-sigv4-proxy -v ``` @@ -37,6 +38,7 @@ docker run --rm -ti \ ## Examples S3 + ``` # us-east-1 curl -s -H 'host: s3.amazonaws.com' http://localhost:8080/ @@ -46,38 +48,46 @@ curl -s -H 'host: s3..amazonaws.com' http://localhost:8080/.amazonaws.com' 'http://localhost:8080//?Action=SendMessage&MessageBody=example' ``` API Gateway + ```sh curl -H 'host: .execute-api..amazonaws.com' http://localhost:8080// ``` Running the service and stripping out sigv2 authorization headers + ```sh docker run --rm -ti \ -v ~/.aws:/root/.aws \ -p 8080:8080 \ + -e 'AWS_SDK_LOAD_CONFIG=true' \ -e 'AWS_PROFILE=' \ aws-sigv4-proxy -v -s Authorization ``` Running the service with Assume Role to use temporary credentials + ```sh docker run --rm -ti \ -v ~/.aws:/root/.aws \ -p 8080:8080 \ + -e 'AWS_SDK_LOAD_CONFIG=true' \ -e 'AWS_PROFILE=' \ aws-sigv4-proxy -v --role-arn ``` Include service name & region overrides when you notice errors like `unable to determine service from host` for API gateway, for example. + ```sh docker run --rm -ti \ -v ~/.aws:/root/.aws \ -p 8080:8080 \ + -e 'AWS_SDK_LOAD_CONFIG=true' \ -e 'AWS_PROFILE=' \ aws-sigv4-proxy -v --name execute-api --region us-east-1 ``` @@ -87,7 +97,6 @@ docker run --rm -ti \ - [AWS SigV4 Signing Docs ](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) - [AWS SigV4 Admission Controller](https://github.com/aws-observability/aws-sigv4-proxy-admission-controller) - Used to install the AWS SigV4 Proxy as a sidecar - ## License This library is licensed under the Apache 2.0 License. From 1801c4476d74aa4a6321bc6c836ba5ff4604e199 Mon Sep 17 00:00:00 2001 From: Alvin Lin Date: Thu, 10 Mar 2022 22:50:42 -0800 Subject: [PATCH 3/4] Upgrade go sdk and turn on cred chain resolving verbose log Signed-off-by: Alvin Lin --- go.mod | 4 ++-- go.sum | 9 +++++++++ main.go | 1 + 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index cd3709b..48fc34b 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module aws-sigv4-proxy go 1.17 require ( - github.com/aws/aws-sdk-go v1.34.29 + github.com/aws/aws-sdk-go v1.43.16 github.com/sirupsen/logrus v1.0.6 github.com/stretchr/testify v1.2.2 gopkg.in/alecthomas/kingpin.v2 v2.2.6 @@ -16,7 +16,7 @@ require ( github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect - golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect + golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 // indirect gopkg.in/yaml.v2 v2.3.0 // indirect diff --git a/go.sum b/go.sum index 9677671..8077aee 100644 --- a/go.sum +++ b/go.sum @@ -4,6 +4,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZq github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/aws/aws-sdk-go v1.34.29 h1:4Yw8eC4nCXiIVmHJO5PD4oh0vI/df5o6cYTVzFV7vWA= github.com/aws/aws-sdk-go v1.34.29/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48= +github.com/aws/aws-sdk-go v1.43.16 h1:Y7wBby44f+tINqJjw5fLH3vA+gFq4uMITIKqditwM14= +github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -25,11 +27,18 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnk golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gopkg.in/airbrake/gobrake.v2 v2.0.9 h1:7z2uVWwn7oVeeugY1DtlPAy5H+KYgB1KeKTnqjNatLo= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= diff --git a/main.go b/main.go index fb71135..a8da1ad 100644 --- a/main.go +++ b/main.go @@ -67,6 +67,7 @@ func main() { if v := os.Getenv("AWS_STS_REGIONAL_ENDPOINTS"); len(v) == 0 { sessionConfig.STSRegionalEndpoint = endpoints.RegionalSTSEndpoint } + sessionConfig.CredentialsChainVerboseErrors = aws.Bool(true) session, err := session.NewSession(&sessionConfig) if err != nil { From 722add7f968e3d3716b153ba91d66c72407db124 Mon Sep 17 00:00:00 2001 From: Alvin Lin Date: Fri, 11 Mar 2022 16:37:48 -0800 Subject: [PATCH 4/4] Add ability to turn on credential chain loading verbose error Signed-off-by: Alvin Lin --- main.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index a8da1ad..f5282d7 100644 --- a/main.go +++ b/main.go @@ -67,7 +67,8 @@ func main() { if v := os.Getenv("AWS_STS_REGIONAL_ENDPOINTS"); len(v) == 0 { sessionConfig.STSRegionalEndpoint = endpoints.RegionalSTSEndpoint } - sessionConfig.CredentialsChainVerboseErrors = aws.Bool(true) + + sessionConfig.CredentialsChainVerboseErrors = aws.Bool(shouldLogSigning()) session, err := session.NewSession(&sessionConfig) if err != nil { @@ -99,7 +100,7 @@ func main() { } signer := v4.NewSigner(credentials, func(s *v4.Signer) { - if *logSinging || *debug { + if shouldLogSigning() { s.Logger = awsLoggerAdapter{} s.Debug = aws.LogDebugWithSigning } @@ -128,6 +129,10 @@ func main() { ) } +func shouldLogSigning() bool { + return *logSinging || *debug +} + func roleSessionName() string { suffix, err := os.Hostname()