cllunsford / aws-signing-proxy Goto Github PK

I'm running the proxy on my mac, with an SSH tunnel through a VPC bastion host pointing to the ES domain inside of a VPC.
Run command,
docker run -it --rm -p 8080:8080 --add-host my-vpc-es.us-east-1.es.amazonaws.com:192.168.65.2 -e AWS_ACCESS_KEY_ID=(aws --profile=default configure get aws_access_key_id) -e AWS_SECRET_ACCESS_KEY=(aws --profile=default configure get aws_secret_access_key) -e AWS_REGION=us-east-1 --name aws-signing-proxy cllunsford/aws-signing-proxy -target https://my-vpc-es.us-east-1.es.amazonaws.com:9443 -region us-east-1

Getting following response with a 403
{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}

Is there any way to debug the request/response? print headers maybe?

As the topic describe it already, I want to use a custom dns name for my es domain which isn't compatible with the provided SSL Certificate common name.

Useful project! To help folks get started you may want to include a #Prerequsites section, mention docker-ce, and link to something like this: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-16-04

Then sudo make gobuild will work fine.

When loading Kibana through the proxy, there are a bunch of 403s. The first of which is for http://localhost:8080/_plugin/kibana/main.css?_b=6103, which yields a JSON object with this error message from AWS:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/_plugin/kibana/styles/main.css
_b=6103
host:search-my-es-domain-1234567890abcdefghijklmnop.us-east-1.es.amazonaws.com
x-amz-date:20160301T020512Z

host;x-amz-date

0123456789abcdeffedcba98765432100123456789abcdeffedcba9876543210'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20160301T020512Z
20160301/us-east-1/es/aws4_request
0123456789abcdeffedcba98765432100123456789abcdeffedcba9876543210'

(I've obviously obscured a bunch of stuff here 😉)

It seems like any URL with a query string gets incorrectly signed.

Hi,

currently the proxy always uses the default profile in ~/.aws/credentials. It would be good if you could override this with a command line parameter '--profile' as in the aws cli.

Regards
Frank

Awesome project, it's working quite nicely for my particular use case! A couple of quick questions.

• Is this repo still being maintained?
• Is it possible to get a new version of the docker container built and pushed to the docker hub?

It would be super handy to have github releases set up for this project. Travis CI or Circle CI should be setup to compile this on tag and upload the binaries to a specific release.

Hi, seems like this change https://github.com/cllunsford/aws-signing-proxy/blob/master/Dockerfile#L14
is breaking current builds when using make build:

docker build -t cllunsford/aws-signing-proxy:latest .
Sending build context to Docker daemon 142.9 MB
Step 1/6 : FROM scratch
 ---> 
Step 2/6 : MAINTAINER Chris Lunsford <[email protected]>
 ---> Using cache
 ---> 98af7f3036ff
Step 3/6 : ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 ---> Using cache
 ---> 2fe3d0bf569c
Step 4/6 : ADD aws-signing-proxy /
lstat aws-signing-proxy: no such file or directory
Makefile:22: recipe for target 'dockbuild' failed
make: *** [dockbuild] Error 1

That fixes it:

--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ MAINTAINER Chris Lunsford <[email protected]>
 ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 # Add executable
-ADD aws-signing-proxy /
+ADD _bin/aws-signing-proxy /
 
 # Default listening port
 EXPOSE 8080

Hey,

thanks for putting the work into this, was just about to implement the exact same thing when I thought to search for any existing projects.

I've submitted a pull request (#4) to include a credential lookup chain. what I've also done in my own repository is write a Makefile for building a tiny docker image (7MB - compresses to 2MB on docker hub) from the scratch base image.

The Makefile is a bit hacky and uses the official golang image to compile the app so you don't need to have golang setup locally.

(Feel free to take a look at it: https://github.com/AlexRudd/aws-signing-proxy)

Probably not the best approach for everyone and I don't know how compatible it is with other OS besides Ubuntu; but let me know if you'd like me to open a pull request for the Makefile and accompanying Dockerfile.

Thanks,
Alex

The proxy listens on every TCP address with the given port.

For security reasons (e. g. when running as a Sidecar in Kubernetes), I want to restrict to listen on 127.0.0.1:8080 only.

Please provide an option to bind the http server on a specific TCP address, e. g. like this:

./aws-signing-proxy -listen 127.0.0.1:8080

In order to secure the proxy we would need to define username and password and set a WWW-Authenticate header or stick to another HTTP package which allows us to request/parse credentials easily.

Currently this app only works when specifying IAM credentials. It would be nice if it would also support IAM roles.

https://github.com/aws/aws-sdk-go/wiki/configuring-sdk#specifying-credentials

We use short-TTL (1 hour) temporary credentials to access AWS services. It would be really useful if this proxy would attempt to reload the credentials from the environment (or creds file) if they have expired.

After setting environment variables:

export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=YYY
export AWS_REGION=us-west-2
export AWS_DEFAULT_REGION=us-west-2

and running the proxy:

aws-signing-proxy -target https://batch.us-west-2.amazonaws.com -port 8081

I hit it in another window and get the following error:

$ curl -X POST http://localhost:8081/v1/describecomputeenvironments
{"message":"Credential should be scoped to correct service: 'batch'. "}

I don't think credentials are the problem because in the first window, after setting environment variables, I can call the API directly:

$ aws batch describe-compute-environment
... successful output omitted ...