THIS PROJECT HAS BEEN MOVED TO https://github.com/idealo/aws-signing-proxy
A transparent proxy which forwards and signs http requests to AWS services.
Supported AWS credentials:
- Static environment based AWS credentials
- AWS credential files
- Fetching short-lived credentials from a vault set up with an AWS secrets engine & sts-assumerole
For ready-to-use binaries have a look at releases. Additionally, we provide a Docker image which can be used both in a test setup and as a sidecar in kubernetes.
In addition to the proxy you may also use vault-env-cred-provider
as an
credential provider for AWS tooling.
❗NOTE: the provided pre-built mac os binaries might fail with name resolution issues on your apple machine if you are using a (corporate) VPN. This will not occur on linux/windows/docker. If you are affected: either use the provided docker image or build the binaries on your machine.
- Change directory to
cmd/aws-signing-proxy
- Run
go build
- Change directory to
cmd/vault-env-cred-provider
- Run
go build
Execute the binary with the required environment variables set:
ASP_VAULT_AUTH_TOKEN=someTokenWhichAllowsYouToAccessVault; \
ASP_VAULT_URL=https://vault.url.invalid; \
ASP_TARGET_URL=https://someAWSServiceSupportingSignedHttpRequests; \
ASP_SERVICE=s3; \
AWS_REGION=eu-central-1; \
ASP_VAULT_CREDENTIALS_PATH=/an-aws-engine-in-vault/creds/a-role-defined-aws; \
aws-signing-proxy
This program can be used as a credential provider for AWS tooling. Setting it up is a two-step process:
- Export the required env variables:
export ASP_VAULT_AUTH_TOKEN=someTokenWhichAllowsYouToAccessVault
export ASP_VAULT_URL=https://vault.url.invalid
export ASP_VAULT_CREDENTIALS_PATH=/an-aws-engine-in-vault/creds/a-role-defined-aws
- Create an aws config file with the following contents:
[some-aws-profile-name]
credential_process = /path/to/vault-env-cred-provider
- Use AWS cli or sdk using this profile name e.g. some-aws-profile-name.
Note that:
- You may name the AWS profile
default
so that you don't need to specify which profile to use when using the AWS SDK/CLI. - There is no need to specify AWS_ACCESS_KEY_ID etc.
You can find the built image at: https://hub.docker.com/repository/docker/roechi/aws-signing-proxy
Make sure to provide all required ENV variables (ASP_VAULT_AUTH_TOKEN
, ASP_VAULT_URL
, ASP_TARGET_URL
, ASP_SERVICE
, AWS_REGION
, ASP_VAULT_CREDENTIALS_PATH
).
This project is based on https://github.com/cllunsford/aws-signing-proxy which is licensed as follows:
MIT 2018 (c) Chris Lunsford