alppaca
A(mazing) Local Prefetch Proxy for Amazon CredentiAls
About
This prefeteches and proxies AWS temporary credentials from the AWS Federation Proxy (AFP).
On any Amazon EC2 instance there is a special webserver that listens on
a link-local address and provides so-called Instance
Metadata.
When running applications on servers inside a private cloud that should
authenticate against AWS, this metadata server isn't available. Hence,
we have to build a bridge into AWS to provide temporary credentials for
that application, so that it believes it is being executed in the cloud
even though it is not. The first part of that bridge is the
aforementioned IMS which connects the private cloud to AWS. The second
part is alppaca, pre-fetches the credentials for an application via the
IMS, caches them locally in memory and exposes them via a HTTP service
on the same server as the application. The main reason for pre-fetching
and caching is to ensure a response time below one second, which is the
AWS-SDK default. The webservice listens on localhost:25772
and an
iptables rule is used to have it serve requests on
169.254.169.254:80
. It is up to the IMS to decide which account and
role to use in order to obtain temporary credentials for the
application/server.
Schematic
Integration
Configuration
You can change the following values in /etc/alppaca/config.yaml
to modify
alppacas behaviour. You can also add more yaml files to the directory, they
are loaded and merged in alphabetical order by yamlreader.
# Set Instance Metadata Service host, port and protocol for e.g. AFP
ims_host: 'localhost'
ims_port: 8080
ims_protocol: 'https'
# Bind to the following address.
# Use these settings if no iptables is used:
# bind_ip: 169.254.169.254
# bind_port: 80
bind_ip: 127.0.0.1
bind_port: 25772
# Import Python logging handler and configure.
# Uses syslog by default.
logging_handler:
'module': 'logging.handlers'
'class': 'SysLogHandler'
'args': []
'kwargs':
'address': '/dev/log'
Source: src/main/python/resources/example_config.yaml
iptables configuration
When you can't bind your application on port 80 you can use this iptables rule snippet that ensures that all requests to IP
169.254.169.254:80
are redirected to localhost:25772
. You can use the
following statement in your iptables config:
iptables -t nat -A OUTPUT -d 169.254.169.254/32 -p tcp -m addrtype --src-type LOCAL -j DNAT --to-destination 127.0.0.1:25772
alppaca as a service
Find the init script in the /etc/init.d
directory and start the alppaca
service with sudo service alppaca start
.
Usage of the init script: alppaca <start|restart|stop|status>
Playing around
Start tmux
.
Launch the mock IMS service in one tmux window:
$ PYTHONPATH=src/main/python python src/main/scripts/alppaca-server-mock
Launch alppaca
in another:
$ PYTHONPATH=src/main/python python src/main/scripts/alppacad -c src/main/python/resources/example_config.yaml
Use curl
to perform some requests in a third one:
$ curl localhost:25772/latest/meta-data/iam/security-credentials/ test_role $ curl localhost:25772/latest/meta-data/iam/security-credentials/test_role '{"Code": "Success", "AccessKeyId": "ASIAI", "SecretAccessKey": "oieDhF", "Token": "6jmePdXNehjPVt7CZ1WMkKrqB6zDc34d2vpLej", "Expiration": "2015-04-17T13:40:18Z", "Type": "AWS-HMAC"}'
And watch the logging info in the other two. Also, by default the credentials are refreshed every minute, so you should see some logging info about that.
Descriptive Haiku
Authentication
Local doesn't work for you
Al's now got your back
See also
See Hologram for another solution that brings temporary AWS credentials onto Developer desktops.
License
Copyright 2015 Immobilienscout24 GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.