ELK OIDC Proxy uses Google accounts to authenticate users to use AWS ElasticSearch and, by extension, its Kibana plugin. It uses the Open ID Connect (OIDC) protocol on Google's Identity Platform.
Before doing anything, you will need to install following command line tools.
Then, you must define an environment for deploying into your AWS account. There is an environment template in environment_template
.
cp config/environment_template environment
vim environment
Then, load the environment.
source environment
The OIDC proxy requires a load balancer to allow connections from the public internet. This infrastructure should already be created, but if it isn't you can run the following command.
# to see what changes will be made
./infrastructure.sh plan
# to apply changes
./infrastructure.sh apply
Note the security group id and target group ARN resulting from this function and modify the makefile accordingly.
Having adjusted these variables, if the service has not already been created you must run the command below.
make service
elk-oidc-proxy
is deployed in Amazon ECS from a Docker container. To build this container run the command below.
$ make image
You must first log into AWS Elastic Container Registry before publishing the container.
$ aws ecr get-login --no-include-email --region us-east-1
Then publish the container to ECR.
$ make publish
make deploy
make scale-down
The AWS STS AssumeRole functionality used by the proxy issues temporary security credentials that only last one hour. After an hour expires, you will have to refresh the page to continue using the service.