Skip to content

cllunsford/aws-signing-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits

vendor

vendor

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

Dockerfile

Dockerfile

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

main.go

main.go

 
 

Repository files navigation

aws-signing-proxy

Build Status

aws-signing-proxy is a proxy service, written in go, for automatically signing requests made to AWS endpoints. It leverages the aws-sdk-go library to sign requests to arbitrary URLs in AWS. I wrote it to connect a kibana instance to an AWS Elasticsearch cluster using an IAM role instead of hard-coding IPs in the access policy. Other uses may exist.

Docker image: https://hub.docker.com/r/cllunsford/aws-signing-proxy/

Usage

export AWS_ACCESS_KEY_ID=<xxx>
export AWS_SECRET_ACCESS_KEY=<xxx>
export AWS_REGION=<xxx>
export AWS_PROFILE=<xxx>  # Optional
./aws-signing-proxy -target https://search-my-cluster.us-west-2.es.amazonaws.com [-port 8080] [-service es]

Flags

General:

  • -target - AWS service to send requests to. Required.
  • -port - Port for the proxy to LISTEN on (will forward to whatever port you specify in target), default: 8080.
  • -service - The AWS service type you are sending to, default: es. This is required for the signing process.

HTTP Connection Tuning:

  • -flush-interval - ReverseProxy FlushInterval, default: 0
  • -idle-conn-timeout - Transport Idle Connection Timeout, default: 90s
  • -dial-timeout - Transport Dial Timeout, default: 30s

Credential chain

AWS credentials are looked up in the following order:

  1. Environment variable accessible to the app
  2. The ~/.aws/credentials config file's default profile
  3. Any IAM instance profile role assigned to the instance.

Building

If you have go installed, you can build and install the binary natively:

go install

The Makefile is used for the production build in travis. It builds the binary in a docker container. After installing docker:

make gobuild   # creates the binary
make dockbuild # creates a docker image with the binary

or

make build     # does both

Notes, Tips

Signature Expired

If you see:

{"message":"Signature expired: 20160415T172935Z is now earlier than 20160415T174424Z (20160415T174924Z - 5 min.)"}

verify that the clock/time is in sync on the proxy host.

Kibana Forbidden index write

For AWS Elasticsearch, the built-in kibana populates the .kibana index. If you see:

ClusterBlockException[blocked by: [FORBIDDEN/8/index write (api)];]

try changing the kibana index setting to use a different index. The marcbachmann/kibana4 docker image allows you to change this easily by setting the KIBANA_INDEX environment variable.

License

MIT 2018 (c) Chris Lunsford

About

Golang http proxy to transparently sign requests to AWS endpoints

hub.docker.com/r/cllunsford/aws-signing-proxy/

Topics

signed-requests aws-elasticsearch

Resources

Readme
Activity

Stars

149 stars

Watchers

3 watching

Forks

53 forks
Report repository

Releases 4

0.2.2 Latest
Jun 12, 2018
+ 3 releases

Packages

No packages published

Contributors 7

Languages