cllunsford / aws-signing-proxy Goto Github PK
View Code? Open in Web Editor NEWGolang http proxy to transparently sign requests to AWS endpoints
Home Page: https://hub.docker.com/r/cllunsford/aws-signing-proxy/
Golang http proxy to transparently sign requests to AWS endpoints
Home Page: https://hub.docker.com/r/cllunsford/aws-signing-proxy/
I'm running the proxy on my mac, with an SSH tunnel through a VPC bastion host pointing to the ES domain inside of a VPC.
Run command,
docker run -it --rm -p 8080:8080 --add-host my-vpc-es.us-east-1.es.amazonaws.com:192.168.65.2 -e AWS_ACCESS_KEY_ID=(aws --profile=default configure get aws_access_key_id) -e AWS_SECRET_ACCESS_KEY=(aws --profile=default configure get aws_secret_access_key) -e AWS_REGION=us-east-1 --name aws-signing-proxy cllunsford/aws-signing-proxy -target https://my-vpc-es.us-east-1.es.amazonaws.com:9443 -region us-east-1
Getting following response with a 403
{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}
Is there any way to debug the request/response? print headers maybe?
As the topic describe it already, I want to use a custom dns name for my es domain which isn't compatible with the provided SSL Certificate common name.
Useful project! To help folks get started you may want to include a #Prerequsites section, mention docker-ce
, and link to something like this: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04
Then sudo make gobuild
will work fine.
When loading Kibana through the proxy, there are a bunch of 403s. The first of which is for http://localhost:8080/_plugin/kibana/main.css?_b=6103, which yields a JSON object with this error message from AWS:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
The Canonical String for this request should have been
'GET
/_plugin/kibana/styles/main.css
_b=6103
host:search-my-es-domain-1234567890abcdefghijklmnop.us-east-1.es.amazonaws.com
x-amz-date:20160301T020512Z
host;x-amz-date
0123456789abcdeffedcba98765432100123456789abcdeffedcba9876543210'
The String-to-Sign should have been
'AWS4-HMAC-SHA256
20160301T020512Z
20160301/us-east-1/es/aws4_request
0123456789abcdeffedcba98765432100123456789abcdeffedcba9876543210'
(I've obviously obscured a bunch of stuff here ๐)
It seems like any URL with a query string gets incorrectly signed.
Hi,
currently the proxy always uses the default profile in ~/.aws/credentials. It would be good if you could override this with a command line parameter '--profile' as in the aws cli.
Regards
Frank
Awesome project, it's working quite nicely for my particular use case! A couple of quick questions.
It would be super handy to have github releases set up for this project. Travis CI or Circle CI should be setup to compile this on tag and upload the binaries to a specific release.
Hi, seems like this change https://github.com/cllunsford/aws-signing-proxy/blob/master/Dockerfile#L14
is breaking current builds when using make build
:
docker build -t cllunsford/aws-signing-proxy:latest .
Sending build context to Docker daemon 142.9 MB
Step 1/6 : FROM scratch
--->
Step 2/6 : MAINTAINER Chris Lunsford <[email protected]>
---> Using cache
---> 98af7f3036ff
Step 3/6 : ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
---> Using cache
---> 2fe3d0bf569c
Step 4/6 : ADD aws-signing-proxy /
lstat aws-signing-proxy: no such file or directory
Makefile:22: recipe for target 'dockbuild' failed
make: *** [dockbuild] Error 1
That fixes it:
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ MAINTAINER Chris Lunsford <[email protected]>
ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# Add executable
-ADD aws-signing-proxy /
+ADD _bin/aws-signing-proxy /
# Default listening port
EXPOSE 8080
Hey,
thanks for putting the work into this, was just about to implement the exact same thing when I thought to search for any existing projects.
I've submitted a pull request (#4) to include a credential lookup chain. what I've also done in my own repository is write a Makefile for building a tiny docker image (7MB - compresses to 2MB on docker hub) from the scratch base image.
The Makefile is a bit hacky and uses the official golang image to compile the app so you don't need to have golang setup locally.
(Feel free to take a look at it: https://github.com/AlexRudd/aws-signing-proxy)
Probably not the best approach for everyone and I don't know how compatible it is with other OS besides Ubuntu; but let me know if you'd like me to open a pull request for the Makefile and accompanying Dockerfile.
Thanks,
Alex
The proxy listens on every TCP address with the given port.
For security reasons (e. g. when running as a Sidecar in Kubernetes), I want to restrict to listen on 127.0.0.1:8080
only.
Please provide an option to bind the http server on a specific TCP address, e. g. like this:
./aws-signing-proxy -listen 127.0.0.1:8080
In order to secure the proxy we would need to define username and password and set a WWW-Authenticate
header or stick to another HTTP package which allows us to request/parse credentials easily.
Currently this app only works when specifying IAM credentials. It would be nice if it would also support IAM roles.
https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#specifying-credentials
We use short-TTL (1 hour) temporary credentials to access AWS services. It would be really useful if this proxy would attempt to reload the credentials from the environment (or creds file) if they have expired.
After setting environment variables:
export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=YYY
export AWS_REGION=us-west-2
export AWS_DEFAULT_REGION=us-west-2
and running the proxy:
aws-signing-proxy -target https://batch.us-west-2.amazonaws.com -port 8081
I hit it in another window and get the following error:
$ curl -X POST http://localhost:8081/v1/describecomputeenvironments
{"message":"Credential should be scoped to correct service: 'batch'. "}
I don't think credentials are the problem because in the first window, after setting environment variables, I can call the API directly:
$ aws batch describe-compute-environment
... successful output omitted ...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.