Add support for aws-vault server mode (#117)

cloudposse · Apr 6, 2018 · abe7ebe · abe7ebe
1 parent 3162a1e
commit abe7ebe
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -211,7 +211,6 @@ RUN curl --fail -sSL -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloa
 # AWS
 #
 ENV AWS_DATA_PATH=/localhost/.aws/
-ENV AWS_SHARED_CREDENTIALS_FILE=/localhost/.aws/credentials
 ENV AWS_CONFIG_FILE=/localhost/.aws/config
 
 #

diff --git a/rootfs/etc/profile.d/aws-vault.sh b/rootfs/etc/profile.d/aws-vault.sh
@@ -5,8 +5,14 @@ if [ -n "${AWS_VAULT}" ]; then
   export TF_VAR_aws_assume_role_arn=$(aws sts get-caller-identity --output text --query 'Arn' | sed 's/:sts:/:iam:/g' | sed 's,:assumed-role/,:role/,' | cut -d/ -f1-2)
   echo "* Assumed role ${TF_VAR_aws_assume_role_arn}"
 else
+  AWS_VAULT_ARGS=("--assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL}")
   [ -d /localhost/.awsvault ] || mkdir /localhost/.awsvault
   ln -sf /localhost/.awsvault ${HOME}
+  if [ "${VAULT_SERVER_ENABLED:-true}" == "true" ]; then
+    echo "* Started EC2 metadata service at http://169.254.169.254/latest"
+    aws-vault server &
+    AWS_VAULT_ARGS+=("--server")
+  fi
 fi
 
 PROMPT_HOOKS+=("aws_vault_prompt")
@@ -39,9 +45,9 @@ function assume-role() {
 
   shift
   if [ $# -eq 0 ]; then
-    aws-vault exec --assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL} $role -- bash -l
+    aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- bash -l
   else
-    aws-vault exec --assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL} $role -- $*
+    aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- $*
   fi
 }
 

diff --git a/rootfs/etc/profile.d/prompt.sh b/rootfs/etc/profile.d/prompt.sh
@@ -34,7 +34,7 @@ function geodesic_prompt() {
   TWO_JOINED_SQUARES=$'\u29C9 '
   CROSS_MARK=$'\u274C '
 
-  if [ -n "$AWS_SESSION_TOKEN" ]; then
+  if [ -n "$AWS_VAULT" ]; then
     export STATUS=${WHITE_HEAVY_CHECK_MARK}
   else
     export STATUS=${CROSS_MARK}