diff --git a/Dockerfile b/Dockerfile index 0f4abebcc..f1d61721e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -211,7 +211,6 @@ RUN curl --fail -sSL -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloa # AWS # ENV AWS_DATA_PATH=/localhost/.aws/ -ENV AWS_SHARED_CREDENTIALS_FILE=/localhost/.aws/credentials ENV AWS_CONFIG_FILE=/localhost/.aws/config # diff --git a/rootfs/etc/profile.d/aws-vault.sh b/rootfs/etc/profile.d/aws-vault.sh index d73f2395a..c0ff1e2f2 100644 --- a/rootfs/etc/profile.d/aws-vault.sh +++ b/rootfs/etc/profile.d/aws-vault.sh @@ -5,8 +5,14 @@ if [ -n "${AWS_VAULT}" ]; then export TF_VAR_aws_assume_role_arn=$(aws sts get-caller-identity --output text --query 'Arn' | sed 's/:sts:/:iam:/g' | sed 's,:assumed-role/,:role/,' | cut -d/ -f1-2) echo "* Assumed role ${TF_VAR_aws_assume_role_arn}" else + AWS_VAULT_ARGS=("--assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL}") [ -d /localhost/.awsvault ] || mkdir /localhost/.awsvault ln -sf /localhost/.awsvault ${HOME} + if [ "${VAULT_SERVER_ENABLED:-true}" == "true" ]; then + echo "* Started EC2 metadata service at http://169.254.169.254/latest" + aws-vault server & + AWS_VAULT_ARGS+=("--server") + fi fi PROMPT_HOOKS+=("aws_vault_prompt") @@ -39,9 +45,9 @@ function assume-role() { shift if [ $# -eq 0 ]; then - aws-vault exec --assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL} $role -- bash -l + aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- bash -l else - aws-vault exec --assume-role-ttl=${AWS_VAULT_ASSUME_ROLE_TTL} $role -- $* + aws-vault exec ${AWS_VAULT_ARGS[@]} $role -- $* fi } diff --git a/rootfs/etc/profile.d/prompt.sh b/rootfs/etc/profile.d/prompt.sh index 98f9bc76f..7458734da 100755 --- a/rootfs/etc/profile.d/prompt.sh +++ b/rootfs/etc/profile.d/prompt.sh @@ -34,7 +34,7 @@ function geodesic_prompt() { TWO_JOINED_SQUARES=$'\u29C9 ' CROSS_MARK=$'\u274C ' - if [ -n "$AWS_SESSION_TOKEN" ]; then + if [ -n "$AWS_VAULT" ]; then export STATUS=${WHITE_HEAVY_CHECK_MARK} else export STATUS=${CROSS_MARK}