plantroon
/
acme.sh
mirror of https://github.com/plantroon/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Pull AWS creds from container role 

Extend the AWS DNS API driver to support ECS container metadata by using
the special environment variable ECS sets in containers.
This commit is contained in:
Mal Graty 2018-02-20 14:55:05 +00:00
parent e58d19b420
commit f49f55f4a5
1 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
dnsapi/dns_aws.sh
View File

@ -23,7 +23,7 @@ dns_aws_add() {
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_instance_role _use_container_role || _use_instance_role
fi fi
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
@ -87,7 +87,7 @@ dns_aws_rm() {
AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}" AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
_use_instance_role _use_container_role || _use_instance_role
fi fi
_debug "First detect the root zone" _debug "First detect the root zone"
@ -174,17 +174,30 @@ _get_root() {
return 1 return 1
} }
_use_container_role() {
# automatically set if running inside ECS
if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
_debug "No ECS environment variable detected"
return 1
fi
_use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
}
_use_instance_role() { _use_instance_role() {
_url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
_debug "_url" "$_url" _debug "_url" "$_url"
if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
_err "Unable to fetch IAM role from AWS instance metadata." _debug "Unable to fetch IAM role from instance metadata"
return return 1
fi fi
_aws_role=$(_get "$_url" "" 1) _aws_role=$(_get "$_url" "" 1)
_debug "_aws_role" "$_aws_role" _debug "_aws_role" "$_aws_role"
_use_metadata "$_url$_aws_role"
}
_use_metadata() {
_aws_creds="$( _aws_creds="$(
_get "$_url$_aws_role" "" 1 \ _get "$1" "" 1 \
| _normalizeJson \ | _normalizeJson \
| tr '{,}' '\n' \ | tr '{,}' '\n' \
| while read -r _line; do | while read -r _line; do
@ -201,6 +214,11 @@ _use_instance_role() {
| paste -sd' ' - | paste -sd' ' -
)" )"
_secure_debug "_aws_creds" "$_aws_creds" _secure_debug "_aws_creds" "$_aws_creds"
if [ -z "$_aws_creds" ]; then
return 1
fi
eval "$_aws_creds" eval "$_aws_creds"
_using_role=true _using_role=true
} }