idealo / aws-signing-proxy Goto Github PK

In some use-cases it might be very convenient to authenticate towards vault via a Kubernetes namespace.
Any Kubernetes Pod has access to an account JSON Web Token (JWT). The token is issued for a service account, if no service account is given, a default account will be created. Anyhow, the token can be found at a specific mount point:
/var/run/secrets/kubernetes.io/serviceaccount/token

The Vault Kubernetes Auth plugin allows it, to configure access for specific accounts and namespaces. We can leverage this, to exchange the Service Account JWT for a Vault Access Token. See: https://www.vaultproject.io/docs/auth/kubernetes

I guess this is obviously a great addition for the aws-signing-proxy Docker image but it might also be useful for the vault-env-cred-provider.

Hi,

i set in the docker container (v1.1.0) the env variables:
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION
(and ASP_TARGET_URL )

but I get "No valid credentials provider given! Valid providers are: oidc, vault"

I would have expected that this would work only with these Environment Variables.

Thanks

As ASP User
I want to have metrics about the ASP usage and timings
So that I can have a transparent overview of the ASP's request timings

• Currently it is non-transparent to users how long several tasks take:

  • signing a request
  • fetching credentials via vault
  • fetching a JWT token via OIDC
  • fetching credentials via AssumeRoleWebIdentity

• The idea is to collect those metrics and expose them in Prometheus format via a /status/metrics or /metrics endpoint

The ASP lacks a ton of tests and according test coverage.
We can't be sure that everything works as expected when a refactoring is done or a new feature is implemented.

• At minimum, we should have an integration test to verify that incoming requests are signed properly, either with vault or oidc as credentials provider
• Proper interfaces are used to mock AWS / Vault / OIDC interaction

Hi,

I need a proxy to Elastic Search (Opensearch) in a EKS.
I want to use this service within a pod (docker image) and a service account
(and the pod annotation to map to an IAM Role)

(See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)

Not sure what this means for this tool or if it is possible. Perhaps it is connected to #1

Thanks in advance.

Current behaviour

• The ASP logs to stdout which makes it difficult to collect the log messages and persist them in my log viewer of choice

Wanted behaviour

• Write log messages to a specific file
  • have the target file configurable
  • (optional) in json format
• (optional) support logging to stdout & file

Is your feature request related to a problem? Please describe.
If the proxy doesn't can connect to the OIDC provider, the proxy fails and restart. This behavior leads to a lot of unspecific crash-loop alarms.

Describe the solution you'd like
If the connection doesn't work the proxy should retry it with a backoff policy. The failed connection should be logged and provided as a metric that can be collected by Prometheus.
This behavior prevents restarting and offers the possibility to stabilize the connection in between. And for the OIDC provider is it a better behavior than a "DDOS" of requests after the connection goes lost.

Additional context
It would be cool if the feature is implemented with a feature toggle, so the behavior is as before, and only if you like you could switch to the new behavior. And it would be great if the backoff interval could be configurable. Thanks. :-)