Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cllunsford/aws-signing-proxy
Golang http proxy to transparently sign requests to AWS endpoints
https://github.com/cllunsford/aws-signing-proxy
aws-elasticsearch signed-requests
Last synced: 3 months ago
JSON representation
Golang http proxy to transparently sign requests to AWS endpoints
- Host: GitHub
- URL: https://github.com/cllunsford/aws-signing-proxy
- Owner: cllunsford
- Created: 2016-01-12T13:31:15.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2024-01-16T10:53:02.000Z (10 months ago)
- Last Synced: 2024-04-24T10:20:19.130Z (7 months ago)
- Topics: aws-elasticsearch, signed-requests
- Language: Go
- Homepage: https://hub.docker.com/r/cllunsford/aws-signing-proxy/
- Size: 35.2 KB
- Stars: 149
- Watchers: 3
- Forks: 52
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-network-stuff - **120**星
README
aws-signing-proxy
=================
[![Build Status](https://travis-ci.org/cllunsford/aws-signing-proxy.svg?branch=master)](https://travis-ci.org/cllunsford/aws-signing-proxy)aws-signing-proxy is a proxy service, written in go, for automatically signing requests made to AWS endpoints. It leverages the aws-sdk-go library to sign requests to arbitrary URLs in AWS. I wrote it to connect a kibana instance to an AWS Elasticsearch cluster using an IAM role instead of hard-coding IPs in the access policy. Other uses may exist.
Docker image: https://hub.docker.com/r/cllunsford/aws-signing-proxy/
## Usage
```
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_REGION=
export AWS_PROFILE= # Optional
./aws-signing-proxy -target https://search-my-cluster.us-west-2.es.amazonaws.com [-port 8080] [-service es]
```Flags
General:
* `-target` - AWS service to send requests to. Required.
* `-port` - Port for the proxy to LISTEN on (will forward to whatever port you specify in target), default: `8080`.
* `-service` - The AWS service type you are sending to, default: `es`. This is required for the signing process.HTTP Connection Tuning:
* `-flush-interval` - [ReverseProxy](https://golang.org/pkg/net/http/httputil/#ReverseProxy) FlushInterval, default: `0`
* `-idle-conn-timeout` - [Transport](https://golang.org/pkg/net/http/#Transport) Idle Connection Timeout, default: `90s`
* `-dial-timeout` - [Transport](https://golang.org/pkg/net/http/#Transport) Dial Timeout, default: `30s`### Credential chain
AWS credentials are looked up in the following order:
1. Environment variable accessible to the app
2. The `~/.aws/credentials` config file's default profile
3. Any [IAM instance profile role](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) assigned to the instance.## Building
If you have go installed, you can build and install the binary natively:
```
go install
```The Makefile is used for the production build in travis. It builds the binary in a [docker](https://docs.docker.com/install/) container. After installing docker:
```
make gobuild # creates the binary
make dockbuild # creates a docker image with the binaryor
make build # does both
```## Notes, Tips
### Signature Expired
If you see:
`{"message":"Signature expired: 20160415T172935Z is now earlier than 20160415T174424Z (20160415T174924Z - 5 min.)"}`
verify that the clock/time is in sync on the proxy host.
### Kibana Forbidden index write
For AWS Elasticsearch, the built-in kibana populates the .kibana index. If you see:
`ClusterBlockException[blocked by: [FORBIDDEN/8/index write (api)];]`
try changing the kibana index setting to use a different index. The [marcbachmann/kibana4](https://github.com/marcbachmann/dockerfile-kibana4) docker image allows you to change this easily by setting the ```KIBANA_INDEX``` environment variable.
## License
MIT 2018 (c) Chris Lunsford