Skip to content

cllunsford/aws-signing-proxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

aws-signing-proxy

Build Status

aws-signing-proxy is a proxy service, written in go, for automatically signing requests made to AWS endpoints. It leverages the aws-sdk-go library to sign requests to arbitrary URLs in AWS. I wrote it to connect a kibana instance to an AWS Elasticsearch cluster using an IAM role instead of hard-coding IPs in the access policy. Other uses may exist.

Docker image: https://hub.docker.com/r/cllunsford/aws-signing-proxy/

Usage

export AWS_ACCESS_KEY_ID=<xxx>
export AWS_SECRET_ACCESS_KEY=<xxx>
export AWS_REGION=<xxx>
export AWS_PROFILE=<xxx>  # Optional
./aws-signing-proxy -target https://search-my-cluster.us-west-2.es.amazonaws.com [-port 8080] [-service es]

Flags

General:

  • -target - AWS service to send requests to. Required.
  • -port - Port for the proxy to LISTEN on (will forward to whatever port you specify in target), default: 8080.
  • -service - The AWS service type you are sending to, default: es. This is required for the signing process.

HTTP Connection Tuning:

  • -flush-interval - ReverseProxy FlushInterval, default: 0
  • -idle-conn-timeout - Transport Idle Connection Timeout, default: 90s
  • -dial-timeout - Transport Dial Timeout, default: 30s

Credential chain

AWS credentials are looked up in the following order:

  1. Environment variable accessible to the app
  2. The ~/.aws/credentials config file's default profile
  3. Any IAM instance profile role assigned to the instance.

Building

If you have go installed, you can build and install the binary natively:

go install

The Makefile is used for the production build in travis. It builds the binary in a docker container. After installing docker:

make gobuild   # creates the binary
make dockbuild # creates a docker image with the binary

or

make build     # does both

Notes, Tips

Signature Expired

If you see:

{"message":"Signature expired: 20160415T172935Z is now earlier than 20160415T174424Z (20160415T174924Z - 5 min.)"}

verify that the clock/time is in sync on the proxy host.

Kibana Forbidden index write

For AWS Elasticsearch, the built-in kibana populates the .kibana index. If you see:

ClusterBlockException[blocked by: [FORBIDDEN/8/index write (api)];]

try changing the kibana index setting to use a different index. The marcbachmann/kibana4 docker image allows you to change this easily by setting the KIBANA_INDEX environment variable.

License

MIT 2018 (c) Chris Lunsford