Coder Social home page Coder Social logo

mmds's Introduction

Mock Metadata Service

This software is still heavily a work-in-progress. The IAM functionality should work but other stuff may not. Bug reports and pull requests welcome.

This package provides a mock metadata service that returns plausible responses for most of the metadata service endpoints. It also provides a full IAM temporary credential endpoint that will assume an IAM role and continually refresh the credentials as time passes. All AWS SDKs and most AWS agents are able to work with this interface provided that it is bound to 169.254.169.254 port 80.

The daemon will attempt to bind two ports, port 80 on IP 169.245.169.254 provides the mock metadata service that is only available on the instance. Additionally port 8998 will be bound on all interfaces for the administrative service. The administrative service is used to boostrap the daemon and provide health-checking.

Setting up Interfaces

A loopback interface with IP address 169.254.169.254 is required by the daemon. This can be accomplished on Linux with the following command:

sudo ip addr add 169.254.169.254/24 broadcast 169.254.169.255 dev lo:metadata
sudo ip link set dev lo:metadata up
sudo iptables -I INPUT 1 -d 169.254.0.0/16 ! -i lo -j DROP

Note: Do not bind this address to a publicly accessible interface or anyone on the network will be able to use your AWS credentials.

Startup

On startup the daemon will bind the ports described above and will wait for a bootstrap credential. At this time it will accept requests for all endpoints but will return an IAM failure response for the assumed role. Once bootstrapped it will assume the requested IAM role and begin serving credentials.

Health Checking

The daemon provides an HTTP endpoint on the administrative service to provide a health status. The endpoint is /status and will return a JSON boolean (true or false) to indicate that the daemon is running with a valid set of assumed credentials.

Bootstrapping

Once the daemon has assumed a role it will continue to re-assume that role using the credentials provided by the AssumeRole API call. However, initial credentials are required to bootstrap the role. These credentials only need permissions to assume the role, all other permissions should be granted to the role itself. These credentials should be provided to the administrative service using a POST request with a JSON body.

The POST endpoint is /bootstrap/creds and is write-only. The JSON formatted message should contain an access key ID, a secret access key and optionally, a session token. The format is:

{
    "AccessKeyId": "AK...",
    "SecretAccessKey": "...",
    "Token": "..."
}

It is required to omit the token key or set the value to an empty string if no token is available.

As soon as the bootstrap token is submitted the daemon will attempt to assume the role it was started with and will begin allowing clients to reqeuest credentials.

Known Missing Features

Many of these feature either don't make sense outside of AWS or are not possible to emulate.

Instance identity document signing. This can not be implemented because only AWS has the private key.

/latest/dynamic/instance-identity/signature
/latest/dynamic/instance-identity/pkcs7
/latest/dynamic/instance-identity/rsa2048

Block device mappings. May be available in the future.

/latest/meta-data/block-device-mapping/ami
/latest/meta-data/block-device-mapping/root

SSH keys. Will be available in a future release.

/latest/meta-data/public-keys/
/latest/meta-data/public-keys/0/openssh-key

Network interface mapping. May be available in the future.

/latest/meta-data/network/interfaces/macs/
/latest/meta-data/network/interfaces/macs/{mac}/device-number
/latest/meta-data/network/interfaces/macs/{mac}/interface-id
/latest/meta-data/network/interfaces/macs/{mac}/local-hostname
/latest/meta-data/network/interfaces/macs/{mac}/local-ipv4s
/latest/meta-data/network/interfaces/macs/{mac}/mac
/latest/meta-data/network/interfaces/macs/{mac}/owner-id
/latest/meta-data/network/interfaces/macs/{mac}/security-group-ids
/latest/meta-data/network/interfaces/macs/{mac}/security-groups
/latest/meta-data/network/interfaces/macs/{mac}/subnet-id
/latest/meta-data/network/interfaces/macs/{mac}/subnet-ipv4-cidr-block
/latest/meta-data/network/interfaces/macs/{mac}/vpc-id
/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-block
/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-blocks
/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv6-cidr-blocks

mmds's People

Stargazers

avatar avatar

Watchers

avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.