Comments (6)
@leptitchriss I only use it once in a while in limited sessions, never had them expire.
malade ton nickname 😆
from aws-es-proxy.
Check out #1
from aws-es-proxy.
I wasn't able to make it work OOTB either. It probably supports simple profiles, but it doesn't seem to support Assume Roles embedded into profiles. You gotta do the assume role yourself and then output the environment variables for aws-es-proxy to use.
Here's the script I used, hope it can be useful to someone else:
import boto3
from subprocess import run, PIPE
sts = boto3.Session(profile_name='profile_name').client('sts')
creds = sts.assume_role(RoleSessionName='anything_goes',
RoleArn='arn:aws:iam::ACCOUNTID:role/ROLE_TO_ASSUME',
DurationSeconds=4*60*60)['Credentials']
proxy_args = ['./aws-es-proxy',
'-endpoint', 'https://my-aws-es-cluster.region.es.amazonaws.com',
'-verbose',
'-pretty']
proxy_enviroment = {
'AWS_ACCESS_KEY_ID': creds['AccessKeyId'],
'AWS_SECRET_ACCESS_KEY': creds['SecretAccessKey'],
'AWS_SESSION_TOKEN': creds['SessionToken']
}
proxy = run(proxy_args, env=proxy_enviroment, stdout=PIPE)
from aws-es-proxy.
Hi,
The ask for a '-profile' option has been raised multiple times. I see that most of the requests come when assume role is being used. I will work on this in the coming days and find a way to better support assuming roles and using different profiles.
Thanks,
from aws-es-proxy.
If it can help, here a snippet from one of my tool for AWS :
// Arguments
region := flag.String("region", "eu-west-1", "AWS region")
profile := flag.String("profile", "default", "Profile from ~/.aws/config")
flag.Parse()
// Create session (credentials from ~/.aws/config)
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable, //enable use of ~/.aws/config
AssumeRoleTokenProvider: stscreds.StdinTokenProvider, //ask for MFA if needed
Profile: string(*profile),
Config: aws.Config{Region: aws.String(*region)},
}))
Regards,
from aws-es-proxy.
I wasn't able to make it work OOTB either. It probably supports simple profiles, but it doesn't seem to support Assume Roles embedded into profiles. You gotta do the assume role yourself and then output the environment variables for aws-es-proxy to use.
Here's the script I used, hope it can be useful to someone else:
import boto3 from subprocess import run, PIPE sts = boto3.Session(profile_name='profile_name').client('sts') creds = sts.assume_role(RoleSessionName='anything_goes', RoleArn='arn:aws:iam::ACCOUNTID:role/ROLE_TO_ASSUME', DurationSeconds=4*60*60)['Credentials'] proxy_args = ['./aws-es-proxy', '-endpoint', 'https://my-aws-es-cluster.region.es.amazonaws.com', '-verbose', '-pretty'] proxy_enviroment = { 'AWS_ACCESS_KEY_ID': creds['AccessKeyId'], 'AWS_SECRET_ACCESS_KEY': creds['SecretAccessKey'], 'AWS_SESSION_TOKEN': creds['SessionToken'] } proxy = run(proxy_args, env=proxy_enviroment, stdout=PIPE)
@jonapich I know your post is over a year old and the project has been updated since, but I'm running into a very similar problem as you dealing with Assumed Roles and have implemented a very similar solution. What happens to your process once the session token expires? I'm considering going with this approach and simply refreshing the session credentials and restarting the proxy each time but it does not seem as elegant as I would have liked.
@abutaha on a side note, the proxy credentials don't seem to pick up the AWS_SESSION_TOKEN
in the ~/.aws/credentials
file for the default profile. Is that something that can be added? This way we would be able to simply update the temporary credentials provided by the Assume Role call (via aws cli, boto3, or other) and the proxy would simply update itself with the new credentials without having to worry about updating environment variables for a running process.
Aside from that, thank you for your hard work, this project solves a very niche problem that I'm surprised AWS hasn't tackled themselves...
Let me know what you think!
from aws-es-proxy.
Related Issues (20)
- Feature request: endpoint IP and port config
- Allowing securitytenant header HOT 2
- Received 403 from AWSAuth, invalidating credentials for retrial... /_bulk?timeout=1m; ; 403; 0.210s HOT 3
- Missing osd-version, osd-xsrf passthrough in headers HOT 10
- Got 404 error when try to access Notebooks by http://opensearch.aws.com/_plugin/kibana/app/opendistro-notebooks-kibana#/
- API request to Kibana not including osd-xsrf header HOT 1
- 4 CRITICAL, 29 HIGH, 13 MEDIUM, 3 LOW, 5 UNKNOWN CVEs on latest image HOT 2
- `go.sum` is missing HOT 2
- AOSS gw-helper-deny HOT 1
- We are having performance issue in Elasticsearch/Kibana after migrating to another server host. HOT 4
- Log JWT token in headers returned from AWS Cognito HOT 1
- Method for terminating the proxy remotely
- Getting net/http: TLS handshake timeout while accessing AWS managed Elasticsearch service HOT 1
- Using aws-es-proxy in conjunction with elasticdump HOT 2
- Certificate validation fails for CNAME record HOT 1
- AWS ES Custom Endpoint does not work with AWS SignV4
- New release, update Docker container? HOT 7
- aws-es-proxy works in HTTPS?
- 400 status when _plugin/kibana/api/v1/multitenancy/tenant HOT 1
- CORS preflight requests fail if basic auth is in use on the proxy HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-es-proxy.