A transparent proxy which forwards and signs http requests to AWS services.
Supported AWS credentials:
- Static environment based AWS credentials
- AWS credential files
- Fetching short-lived credentials from a vault set up with an AWS secrets engine & sts-assumerole
- Fetching short-lived credentials from AWS via a OAuth2 authorization server
and OpenID Connect (OIDC)
- Additionally, you can fetch these credentials asynchronously
- Fetching short-lived credentials via AWS IRSA (IAM Roles for Service Accounts)
For ready-to-use binaries have a look at Releases.
Additionally, we provide a Docker image which can be used as a sidecar in Kubernetes.
- Support for AWS IRSA
- Version 2.0.0 comes
- with a built-in circuit breaker for requesting credentials from either OIDC or Vault
- with better error handling and panic recovery
- with json logging enabled by default
- Command line flags are not supported anymore, use env vars instead
Health Portis now calledMgmt Port- it provides the
/status/healthendpoint for health probes and/status/metricsendpoint for prometheus metrics
- it provides the
- Change directory to
cmd/aws-signing-proxy - Run
go build
❗NOTE: the provided pre-built macOS binaries might fail with name resolution issues on your OSX machine if you are using a (corporate) VPN. This will not occur on linux/windows/docker. If you are affected: either use the provided docker image or build the binaries on your machine from source.
Execute the binary with the required environment variables set:
ASP_CREDENTIALS_PROVIDER=vault; \
ASP_VAULT_AUTH_TOKEN=someTokenWhichAllowsYouToAccessVault; \
ASP_VAULT_URL=https://vault.url.invalid; \
ASP_TARGET_URL=https://someAWSServiceSupportingSignedHttpRequests; \
ASP_SERVICE=s3; \
AWS_REGION=eu-central-1; \
ASP_VAULT_CREDENTIALS_PATH=/an-aws-engine-in-vault/creds/a-role-defined-aws; \
aws-signing-proxy
Execute the binary with either the required environment variables:
ASP_CREDENTIALS_PROVIDER=oidc; \
ASP_TARGET_URL=https://someAWSServiceSupportingSignedHttpRequests; \
ASP_ROLE_ARN=arn:aws:iam::123456242:role/some-access-role; \
ASP_OPEN_ID_AUTH_SERVER_URL="https://your-oauth2-authorization-server/eg/aws/token/"; \
ASP_OPEN_ID_CLIENT_ID=your-oauth2-client; \
ASP_OPEN_ID_CLIENT_SECRET=someverysecurepassword; \
aws-signing-proxy
Execute the binary with either the required environment variables:
ASP_CREDENTIALS_PROVIDER=irsa; \
ASP_TARGET_URL=https://someAWSServiceSupportingSignedHttpRequests; \
ASP_ROLE_ARN=arn:aws:iam::123456242:role/some-access-role; \
aws-signing-proxy
Make sure, your AWS_WEB_IDENTITY_TOKEN_FILE environment variable is set!
The following configuration parameters are supported (as Environment Variables):
| Parameter | required? | Details | Default |
|---|---|---|---|
| ASP_TARGET_URL | yes | target url to proxy to (e.g. foo.eu-central-1.es.amazonaws.com) | - |
| ASP_PORT | optional | listening port for proxy (e.g. 8080) | 8080 |
| ASP_MGMT_PORT | optional | management port for proxy (e.g. 8081) | 8081 |
| ASP_SERVICE | optional | AWS Service which is being proxied (e.g. es) | es |
| ASP_CREDENTIALS_PROVIDER | yes | either retrieve credentials via OpenID, IRSA, Vault or use local AWS token credentials (by setting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN). Valid values are: oidc, vault, irsa, awstoken |
- |
| ASP_ROLE_ARN | yes, if OIDC or IRSA is Credentials Provider | AWS role ARN to assume to | - |
| ASP_VAULT_URL | yes, if Vault is Credentials Provider | base url of vault (e.g. 'https://foo.vault.invalid') | - |
| ASP_VAULT_PATH | yes, if Vault is Credentials Provider | path for credentials (e.g. '/some-aws-engine/creds/some-aws-role') | - |
| ASP_VAULT_AUTH_TOKEN | yes, if Vault is Credentials Provider | token for authenticating with vault | - |
| ASP_OPEN_ID_AUTH_SERVER_URL | yes, if OIDC is Credentials Provider | the authorization server url | - |
| ASP_OPEN_ID_CLIENT_ID | yes, if OIDC is Credentials Provider | OAuth client id | - |
| ASP_OPEN_ID_CLIENT_SECRET | yes, if OIDC is Credentials Provider | OAuth client secret | - |
| ASP_IRSA_CLIENT_ID | yes, if IRSA is Credentials Provider | IRSA client id | - |
| ASP_ASYNC_OPEN_ID_CREDENTIALS_FETCH | optional | whether or not to fetch AWS Credentials via OIDC asynchronously | false |
| AWS_REGION | optional | the AWS region to proxy to | eu-central-1 |
| ASP_METRICS_PATH | optional | metrics path | /status/metrics |
| ASP_FLUSH_INTERVAL | optional | flush interval in seconds to flush to the client while copying the response body | 0s |
| ASP_IDLE_CONN_TIMEOUT | optional | the maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. zero means no limit. | 90s |
| ASP_DIAL_TIMEOUT | optional | the maximum amount of time a dial will wait for a connect to complete | 30s |
Note that based on your choice for the credentials provider certain parameters become mandatory.
If you want to adjust the built-in authorization server circuit breaker, you can set the following environment variables according to your needs.
The failure threshold defaults to 5 failed requests until the circuit is opened The timeout for keeping the circuit open defaults to 60s
ASP_CIRCUIT_BREAKER_FAILURE_THRESHOLD=5
ASP_CIRCUIT_BREAKER_TIMEOUT=60s
Sometimes it is crucial to have the credentials refreshed in the background to avoid a delay for the first-fetch-request
You can enable this feature by setting the environment variable ASP_ASYNC_OPEN_ID_CREDENTIALS_FETCH to true.
It will check every 10 seconds if the credentials are still valid and takes care of refreshing them in the background.
If you want to alter the default port 8081 for the /status/health and the /status/metrics path, you can do that via setting the environment variable ASP_MGMT_PORT to the port you like.
To alter the prometheus metrics path, you can set the environment variable ASP_METRICS_PATH.
You can find the built image at: https://hub.docker.com/r/idealo/aws-signing-proxy
This project is based on https://github.com/cllunsford/aws-signing-proxy which is licensed as follows:
MIT 2018 (c) Chris Lunsford