From 0aab6eca2edc8e507465c44ec4433de59063e3d7 Mon Sep 17 00:00:00 2001 From: KensoDev Date: Thu, 16 Mar 2017 13:55:54 -0700 Subject: [PATCH 1/2] Add support for getting ECS style authentication When running `Credstash` inside ECS as a docker container, the authentication is being "injected" as an assumed role. This PR adds support for checking whether the context the task is being ran in is ECS, if it is, it will instanciate the special object to grab the auth from the ECS proxy. BEFORE: When trying to run the task, it would assume the role of the instance it's running on (which may or may not have the permissions you want). ``` User `' is not authorized to perform `' on resource `' ``` After: Task is running as expected and assuming the correct role. All tests are passing Some more changes * Instead of requiring and customizing the AWS sdk in multiple places, put it in a single file and customizing only there. * Added tests for the right credentials being passed in * Checking whether we are in ECS context based on a special ENV var only passed from there --- lib/aws.js | 20 ++++++++++++++++++++ lib/keys.js | 6 +----- lib/secrets.js | 6 +----- package.json | 2 +- test/aws.js | 16 ++++++++++++++++ 5 files changed, 39 insertions(+), 11 deletions(-) create mode 100644 lib/aws.js create mode 100644 test/aws.js diff --git a/lib/aws.js b/lib/aws.js new file mode 100644 index 0000000..cab4004 --- /dev/null +++ b/lib/aws.js @@ -0,0 +1,20 @@ +const AWS = require('aws-sdk'); + +console.log(`URI: ${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`); + +if (typeof process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI !== 'undefined') { + console.log('CREDS'); + + AWS.config.credentials = new AWS.ECSCredentials({ + httpOptions: { timeout: 5000 }, + maxRetries: 10, + retryDelayOptions: { base: 200 } + }); + +} + +if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') { + AWS.config.update({region: process.env.AWS_DEFAULT_REGION}); +} + +module.exports = AWS; diff --git a/lib/keys.js b/lib/keys.js index 5ce7005..e0799c6 100644 --- a/lib/keys.js +++ b/lib/keys.js @@ -1,11 +1,7 @@ -const AWS = require('aws-sdk'); +const AWS = require('./aws'); const async = require('async'); const encoder = require('./encoder'); -if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') { - AWS.config.update({region: process.env.AWS_DEFAULT_REGION}); -} - function decrypt(key, done) { var params = { CiphertextBlob: encoder.decode(key) diff --git a/lib/secrets.js b/lib/secrets.js index 2e5dbbe..f35f6cd 100644 --- a/lib/secrets.js +++ b/lib/secrets.js @@ -1,9 +1,5 @@ -const AWS = require('aws-sdk'); const async = require('async'); - -if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') { - AWS.config.update({region: process.env.AWS_DEFAULT_REGION}); -} +const AWS = require('./aws'); // Blatantly borrowed from https://www.electrictoolbox.com/pad-number-zeroes-javascript/ function pad(number, length) { diff --git a/package.json b/package.json index a2f2312..bc5c9a6 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,7 @@ "dependencies": { "aes-js": "0.2.2", "async": "1.5.2", - "aws-sdk": "2.2.35", + "aws-sdk": "2.28.0", "xtend": "4.0.1" } } diff --git a/test/aws.js b/test/aws.js new file mode 100644 index 0000000..7ffb57f --- /dev/null +++ b/test/aws.js @@ -0,0 +1,16 @@ +const should = require('chai').should(); + +describe('AWS', () => { + const env = Object.assign({}, process.env); + process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = 'https://fake-uri'; + + afterEach(() => { + process.env = env; + }); + + it('can work with ecs credentials', (done) => { + const AWS = require('../lib/aws.js'); + AWS.config.credentials.should.be.an.instanceOf(AWS.ECSCredentials); + done(); + }); +}); From 7151a03693d2c8aab47a4a60270fa5af75d7b01f Mon Sep 17 00:00:00 2001 From: KensoDev Date: Thu, 16 Mar 2017 15:31:28 -0700 Subject: [PATCH 2/2] remove console logging --- lib/aws.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lib/aws.js b/lib/aws.js index cab4004..5cc0cff 100644 --- a/lib/aws.js +++ b/lib/aws.js @@ -1,16 +1,11 @@ const AWS = require('aws-sdk'); -console.log(`URI: ${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`); - if (typeof process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI !== 'undefined') { - console.log('CREDS'); - AWS.config.credentials = new AWS.ECSCredentials({ httpOptions: { timeout: 5000 }, maxRetries: 10, retryDelayOptions: { base: 200 } }); - } if (typeof process.env.AWS_DEFAULT_REGION !== 'undefined') {