Skip to content
/ imds-credential-server Public

CLI tool for providing AWS credentials to a container from the host

License

Apache-2.0 license
24 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

benkehoe/imds-credential-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
CONTRIBUTORS.md
CONTRIBUTORS.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

imds-credential-server

Provide AWS credentials to a container from the host

This CLI tool runs a server compliant with the EC2 IMDSv2 interface in order to vend AWS credentials, primarily to export credentials into locally-run containers.

This is better than mounting your ~/.aws directory into a container as a) it allows for mechanisms that only work on the host, e.g., custom credential processes and b) it only vends one set of (refreshable) credentials to the container rather than providing access to all your credentials.

Install

Three options:

$ go install github.com/benkehoe/imds-credential-server@main
  • Clone the repo
$ git clone https://github.com/benkehoe/imds-credential-server
$ cd imds-credential-server && go build .

Use

Run the server in one terminal. It needs to have credentials available to it in the normal manner; the --profile option works as you'd expect.

It will bind to localhost by default, if you need something different use the HOST:PORT format.

$ imds-credential-server 8081

And then run a container in a separate terminal. Note the trailing slash on the URL.

$ docker run --rm -p 8081:8081 -e AWS_EC2_METADATA_SERVICE_ENDPOINT=http://host.docker.internal:8081/ amazon/aws-cli sts get-caller-identity
{
    "UserId": "AROAXXXXXXXXXXXXXXXXX:SessionName",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/SomeRole/SessionName"
}

Details

You must provide a port (or optionally a full address) for the server. Then map the port from the host to the container, and set the environment variable AWS_EC2_METADATA_SERVICE_ENDPOINT to http://host.docker.internal:MAPPED_PORT/ with the approporiate port and remember to include the trailing slash (the CLI and some SDKs won't work correctly without it).

AWS SDKs run inside the container should just work, as should any tool that relies on them. For tools that don't correctly accept the full range of AWS credential sources, check out aws-export-credentials, ideally using it inside the container.

If you're using static credentials from an IAM User or, god forbid, account root, it will use STS.GetSessionToken to turn these into temporary credentials, which both matches IMDSv2 on EC2 (those are always temporary role credentials) and reduces the security risk of providing those credentials.

You can use imds-credential-server version to get the version (this project uses monotonic versioning).

About

CLI tool for providing AWS credentials to a container from the host

Resources

Readme

License

Apache-2.0 license
Activity

Stars

24 stars

Watchers

4 watching

Forks

8 forks
Report repository

Releases 4

v0.4.0 Latest
Jul 26, 2023
+ 3 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages