How to configure this to read AWS ECS task definition role credentials

adobe-apiplatform / api-gateway-aws

AWS SDK for NGINX with Lua

Apache License 2.0

171 stars 44 forks source link

How to configure this to read AWS ECS task definition role credentials #21

Open denis-singh opened 7 years ago

denis-singh commented 7 years ago

Hi, I've got this running in a docker container on ECS. Unfortunately it picks up the AWS credentials for the ECS hosts rather than the task definition role, which is specific to the container. If I configure it to point to the task definition credentials URL, curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI it throws an error.

ddragosd commented 7 years ago

Hi @denis-singh can you provide more details on the error, and how the configuration for the new URL was set ?

denis-singh commented 7 years ago

Hi @ddragosd Basically the error is that the application looks for credentials from "/latest/meta-data/iam/security-credentials/" here. This returns the ECS instance role (which is the role applied to the EC2 instance that the nginx container is running on).

AWS ECS has task roles which you can assign to individual docker containers running on the servers: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html.

The task role credentials url is "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI". Wen I set "DEFAULT_SECURITY_CREDENTIALS_URL" to this location, the application errors out saying that it cannot find the correct credentials.

I think its because the first metadata url return the role name whereas the task role url returns the credentials associated with the role, like so:

{ "AccessKeyId": "ACCESS_KEY_ID", "Expiration": "EXPIRATION_DATE", "RoleArn": "TASK_ROLE_ARN", "SecretAccessKey": "SECRET_ACCESS_KEY", "Token": "SECURITY_TOKEN_STRING" }

ddragosd commented 7 years ago

You might make this work, assuming you can configure in NGINX the role assigned to each docker container.

In NGINX config, ensure you expose the ENV VAR to NGINX:

# place this above the http {} block
env AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;

Then in Lua:

      local IamCredentials = require "api-gateway.aws.AWSIAMCredentials"
      local iam = IamCredentials:new({
           security_credentials_host = "169.254.170.2",
           security_credentials_url= os.getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"),
           iam_user="" --leave it empty
      })

If this doesn't work we probably need to implement support for IAM Roles for Tasks in AWSIAMCredentials.lua. When AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable is available, it should use the provided credentials to make calls to the AWS APIs.