idealo / aws-signing-proxy Goto Github PK
View Code? Open in Web Editor NEWGolang HTTP Reverse Proxy to transparently sign requests to AWS endpoints
Home Page: https://hub.docker.com/r/idealo/aws-signing-proxy/
Golang HTTP Reverse Proxy to transparently sign requests to AWS endpoints
Home Page: https://hub.docker.com/r/idealo/aws-signing-proxy/
In some use-cases it might be very convenient to authenticate towards vault via a Kubernetes namespace.
Any Kubernetes Pod has access to an account JSON Web Token (JWT). The token is issued for a service account, if no service account is given, a default account will be created. Anyhow, the token can be found at a specific mount point:
/var/run/secrets/kubernetes.io/serviceaccount/token
The Vault Kubernetes Auth plugin allows it, to configure access for specific accounts and namespaces. We can leverage this, to exchange the Service Account JWT for a Vault Access Token. See: https://www.vaultproject.io/docs/auth/kubernetes
I guess this is obviously a great addition for the aws-signing-proxy Docker image but it might also be useful for the vault-env-cred-provider
.
Hi,
i set in the docker container (v1.1.0) the env variables:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION
(and ASP_TARGET_URL )
but I get "No valid credentials provider given! Valid providers are: oidc, vault"
I would have expected that this would work only with these Environment Variables.
Thanks
As ASP User
I want to have metrics about the ASP usage and timings
So that I can have a transparent overview of the ASP's request timings
Currently it is non-transparent to users how long several tasks take:
The idea is to collect those metrics and expose them in Prometheus format via a /status/metrics or /metrics endpoint
The ASP lacks a ton of tests and according test coverage.
We can't be sure that everything works as expected when a refactoring is done or a new feature is implemented.
Hi,
I need a proxy to Elastic Search (Opensearch) in a EKS.
I want to use this service within a pod (docker image) and a service account
(and the pod annotation to map to an IAM Role)
(See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)
Not sure what this means for this tool or if it is possible. Perhaps it is connected to #1
Thanks in advance.
Is your feature request related to a problem? Please describe.
If the proxy doesn't can connect to the OIDC provider, the proxy fails and restart. This behavior leads to a lot of unspecific crash-loop alarms.
Describe the solution you'd like
If the connection doesn't work the proxy should retry it with a backoff policy. The failed connection should be logged and provided as a metric that can be collected by Prometheus.
This behavior prevents restarting and offers the possibility to stabilize the connection in between. And for the OIDC provider is it a better behavior than a "DDOS" of requests after the connection goes lost.
Additional context
It would be cool if the feature is implemented with a feature toggle, so the behavior is as before, and only if you like you could switch to the new behavior. And it would be great if the backoff interval could be configurable. Thanks. :-)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.