A(mazing) Local Prefetch Proxy for Amazon CredentiAls (using AFP)
This prefetches and proxies AWS temporary credentials from the AWS Federation Proxy (AFP).
On any Amazon EC2 instance there is a special webserver that listens on
a link-local address and provides so-called Instance
Metadata.
When running applications on servers inside a private cloud that should
authenticate against AWS, this metadata server isn't available. Hence,
we have to build a bridge into AWS to provide temporary credentials for
that application, so that it believes it is being executed in the cloud
even though it is not. The first part of that bridge is the
aforementioned IMS which connects the private cloud to AWS. The second
part is alppaca, which pre-fetches the credentials for an application via the
IMS, caches them locally in memory and exposes them via a HTTP service
on the same server as the application. The main reason for pre-fetching
and caching is to ensure a response time below one second, which is the
AWS-SDK default timeout. The webservice listens on localhost:25772
and an
iptables rule is used to have it serve requests on
169.254.169.254:80
. It is up to the IMS to decide which account and
role to use in order to obtain temporary credentials for the
application/server.
You can change the following values in /etc/alppaca/config.yaml
to modify
alppaca's behaviour. You can also add more yaml files to the directory, they
are loaded and merged in alphabetical order by yamlreader.
## Set Instance Metadata Service host, port and protocol for e.g. AFP
ims_host: 'localhost'
ims_port: 8080
ims_protocol: 'http'
## Bind to the following address.
bind_ip: 127.0.0.1
bind_port: 25772
## Use these settings if no iptables is used:
# bind_ip: 169.254.169.254
# bind_port: 80
## Possible log levels are debug, info, warning (default), error
log_level: warning
## Example for filelogging:
log_format: '%(asctime)s [%(levelname)s] %(message)s'
## Import Python logging handler and configure.
logging_handler:
module: logging.handlers
class: WatchedFileHandler
args: [/var/log/alppaca.log]
## Allows to automatically switch to another role
# assume_role: arn:aws:iam::123456789012:role/demoRole
## Proxy settings for assume_role call to aws
# aws_proxy_host: my_proxy.local
# aws_proxy_port: 3128
## Connect to specified region for assume_role call
# aws_region: eu-central-1
## Drop privileges and run with this user and group
# instead of user nobody you can use alpacca/alpacca
user: nobody
group: nobody
Full Source: src/main/python/resources/example_config.yaml
When you can't bind your application on port 80 you can use this iptables rule snippet that ensures that all requests to IP
169.254.169.254:80
are redirected to localhost:25772
. You can use the
following statement in your iptables config:
iptables -t nat -A OUTPUT -d 169.254.169.254/32 -p tcp -m addrtype --src-type LOCAL -j DNAT --to-destination 127.0.0.1:25772
Find the init script in the /etc/init.d
directory and start the alppaca
service with sudo service alppaca start
.
Usage of the init script: alppaca <start|restart|stop|status>
You can configure alppaca to issue an assume_role API call using the configuration. This can be useful when you want to assume the role of another account:
assume_role: arn:aws:iam::123456789012:role/demoRole
In case a proxy is required in order to connect to AWS, use this config:
aws_proxy_host: my_proxy.local aws_proxy_port: 3128
If you do not want to install the dependencies system wide, use virtualenv and pybuilder.
Launch the mock IMS service in one terminal:
$ PYTHONPATH=src/main/python python src/main/scripts/alppaca-server-mock
Launch alppaca
in another:
$ sudo PYTHONPATH=src/main/python python src/main/scripts/alppacad start -c src/main/python/resources/example_config.yaml
You need to be root (or use sudo) to start the alppaca as a deamon.
Use curl
to perform some requests in a third one:
$ curl localhost:25772/latest/meta-data/iam/security-credentials/ test_role $ curl localhost:25772/latest/meta-data/iam/security-credentials/test_role '{"Code": "Success", "AccessKeyId": "ASIAI", "SecretAccessKey": "oieDhF", "Token": "6jmePdXNehjPVt7CZ1WMkKrqB6zDc34d2vpLej", "Expiration": "2015-04-17T13:40:18Z", "Type": "AWS-HMAC"}'
And watch the request logging in the other two terminals and in your syslog. Also, by default the credentials are refreshed every minute, so you should see some logging info about that.
Authentication
Local doesn't work for you
Al's now got your back
See Hologram for another solution that brings temporary AWS credentials onto Developer desktops. Metadataproxy is a solution to provide IAM credentials to docker containers.
Copyright 2015 Immobilien Scout GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.