ngx_aws_auth icon indicating copy to clipboard operation
ngx_aws_auth copied to clipboard

Published 20 hours ago verified publisher icon anomalizer

Credentials that required AWS_SESSION_TOKEN don't work.

Open mostrows2 opened this issue 8 years ago • 5 comments

I'm using temporary credentials acquired via "assume role". I need to include AWS_SESSION_TOKEN as part of the credentials I use. This patch works for me.

0001-Support-optional-AWS_SESSION_TOKEN.patch.txt

mostrows2 avatar May 28 '16 22:05 mostrows2

The better way to fix this is my simply including all the x-amz- headers for signing

anomalizer avatar Jun 21 '16 13:06 anomalizer

@anomalizer can you be more specific with how you would prefer for this to be done? ngx_aws_auth__canonize_headers pieces together the x-amz- headers from its arguments.

I would like to see this issue fixed in master, but don't particularly care if the above patch is merged or something else is done instead.

philsnow avatar Sep 30 '16 19:09 philsnow

👍

bigkraig avatar Feb 28 '17 21:02 bigkraig

@anomalizer do you have a solution for this already? I'm facing this problem as well.

universam1 avatar Oct 27 '17 08:10 universam1

I've revived this patch and can confirm it works: https://github.com/asottile/ngx_aws_auth/commit/768e8b6efec3a53b25ab7317ab49048a24766f81

I'm seeding this information using the aws metadata service:

URL = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/{}'
TMPL = '''\
daemon off;
pid {pidfile};
error_log /dev/stdout;
worker_processes 4;
events {{
    worker_connections 1024;
}}

http {{
    access_log /dev/stdout;

    server {{
        listen 8000;

        aws_access_key {access_key};
        aws_key_scope {scope};
        aws_security_token {token};
        aws_signing_key {key};

        location / {{
            aws_s3_bucket ...;
            aws_sign;
            proxy_pass https://....s3.amazonaws.com;
        }}
    }}
}}
'''


# https://github.com/anomalizer/ngx_aws_auth/blob/master/generate_signing_key
def scope_and_signature(secret_key: str) -> Tuple[str, str]:
    k = f'AWS4{secret_key}'.encode()
    dt = datetime.datetime.utcnow().date().strftime('%Y%m%d')
    scope = f'{dt}/us-east-1/s3/aws4_request'
    for v in scope.split('/'):
        k = hmac.new(k, v.encode(), hashlib.sha256).digest()
    return scope, base64.b64encode(k).decode()


def main(argv: Optional[Sequence[str]] = None) -> int:
    ...
    role_name, _, _ = os.environ['IAM_ROLE'].partition('@')
    resp = json.loads(urllib.request.urlopen(URL.format(role_name)).read())

    access_key, token = resp['AccessKeyId'], resp['Token']
    scope, key = scope_and_signature(resp['SecretAccessKey'])

    cfg = TMPL.format(
        pidfile=args.pidfile,
        access_key=access_key, scope=scope, key=key, token=token,
    )

    ...

asottile avatar Jun 29 '18 18:06 asottile