AWS auth backend - how to specify proxy
766 views
Skip to first unread message
kamalakar vadla
Feb 9, 2017, 2:36:21 PM2/9/17
to Vault
I have couple of questions on configuring AWS ec2 auth backend in our company
1. I have multiple profiles in ~/.aws/credentials file, how to specify which profile to pickup by vault ?
2. We do have proxy sitting between aws client and AWS endpoint, how can we tell vault to pickup those proxy details ?
Thanks in advance.
Regards
KV
Vishal Nayak
Feb 9, 2017, 3:05:21 PM2/9/17
to vault...@googlegroups.com
Hi Kamalakar,
> I have multiple profiles in ~/.aws/credentials file, how to specify which profile to pickup by vault ?
I have not tested this yet. But looking at the code it looks like the
backend will take care of pulling the credentials automatically.
Multiple credential providers will be used: preconfigured keys in the
config endpoint, environment variables (AWS_ACCESS_KEY,
AWS_SECRET_KEY), shared credential providers and the ec2 role
providers. What you are asking for belongs to shared credentials
provider. By default, the "[default]" profile should be picked. If you
want other profile to be picked, then setting the desired profile via
environment variable AWS_PROFILE should do.
> We do have proxy sitting between aws client and AWS endpoint, how can we tell vault to pickup those proxy details ?
I am not sure what you are asking here. Is that you want the AWS APIs
to land at a different endpoint? If yes, `/auth/aws-ec2/config/client`
API has an "endpoint" field that could be used.
Regards,
Vishal
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/7070cd52-241c-4923-8d9a-5899b696236e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
> I have multiple profiles in ~/.aws/credentials file, how to specify which profile to pickup by vault ?
backend will take care of pulling the credentials automatically.
Multiple credential providers will be used: preconfigured keys in the
config endpoint, environment variables (AWS_ACCESS_KEY,
AWS_SECRET_KEY), shared credential providers and the ec2 role
providers. What you are asking for belongs to shared credentials
provider. By default, the "[default]" profile should be picked. If you
want other profile to be picked, then setting the desired profile via
environment variable AWS_PROFILE should do.
> We do have proxy sitting between aws client and AWS endpoint, how can we tell vault to pickup those proxy details ?
to land at a different endpoint? If yes, `/auth/aws-ec2/config/client`
API has an "endpoint" field that could be used.
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/7070cd52-241c-4923-8d9a-5899b696236e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
kamalakar vadla
Feb 9, 2017, 4:34:56 PM2/9/17
to Vault
Hi Vishal
> I have multiple profiles in ~/.aws/credentials file, how to specify which profile to pickup by vault ?
I have not tested this yet. But looking at the code it looks like the backend will take care of pulling the credentials automatically.
Multiple credential providers will be used: preconfigured keys in the
config endpoint, environment variables (AWS_ACCESS_KEY,
AWS_SECRET_KEY), shared credential providers and the ec2 role
providers. What you are asking for belongs to shared credentials
provider. By default, the "[default]" profile should be picked. If you
want other profile to be picked, then setting the desired profile via
environment variable AWS_PROFILE should do.
[KV] Will try this setting AWS_PROFILE
> We do have proxy sitting between aws client and AWS endpoint, how can we tell vault to pickup those proxy details ?
I am not sure what you are asking here. Is that you want the AWS APIs to land at a different endpoint? If yes, `/auth/aws-ec2/config/client`
API has an "endpoint" field that could be used.
[KV] There is forward proxy which sitting in our environment.
ex : In case of boto client call I am specifying proxy server details for calling aws api.
boto3.ec2.connection.EC2Connection(aws_access_key_id=aws_access_key_id,aws_secret_access_key=aws_secret_access_key,security_token=aws_security_token,proxy='xxx',proxy_port='xxx',proxy_user='xx',proxy_pass='xxxx')
Regards
KV
Vishal Nayak
Feb 9, 2017, 5:50:03 PM2/9/17
to vault...@googlegroups.com
Hi Kamalakar,
Vault doesn't natively handle connections to proxies. I couldn't see
any placeholders for proxy settings in the aws-sdk-go API which Vault
relies on to interact with AWS. I'm afraid this has to be dealt by the
application invoking the API.
Regards,
Vishal
> https://groups.google.com/d/msgid/vault-tool/6a0a152d-1a11-4f66-bb3a-4ef9930b10cf%40googlegroups.com.
Vault doesn't natively handle connections to proxies. I couldn't see
any placeholders for proxy settings in the aws-sdk-go API which Vault
relies on to interact with AWS. I'm afraid this has to be dealt by the
application invoking the API.
Regards,
Vishal
Jeff Mitchell
Feb 9, 2017, 8:50:02 PM2/9/17
to vault...@googlegroups.com
Hi Kamalakar,
Vault will use proxy env vars (HTTP_PROXY, HTTPS_PROXY, NO_PROXY) if they are specified. I don't honestly know if they support proxies requiring authentication; Go's docs are pretty slim there and a quick look at the code suggests maybe not.
Best,
Jeff
> email to vault-tool+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/6a0a152d-1a11-4f66-bb3a-4ef9930b10cf%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
vn
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAFy0tpyK%3DdznzWoO2RnyGRDrPK-vxyZ2K_Lc_FGNuBTz0URyEQ%40mail.gmail.com.To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
kamalakar vadla
Feb 10, 2017, 9:24:18 AM2/10/17
to Vault
Hi Jeff
Thanks for quick help.
For the benefit
I was able to setup this successfully with the help of proxy env vars (HTTP_PROXY, HTTPS_PROXY, NO_PROXY).
Regards
KV
> https://groups.google.com/d/msgid/vault-tool/6a0a152d-1a11-4f66-bb3a-4ef9930b10cf%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
vn
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages