Using ECS Server Mode
Overview
AWS provides the ability for ECS Tasks to assume an IAM role
via an HTTP endpoint defined via the AWS_CONTAINER_CREDENTIALS_FULL_URI
shell
ENV variable.
All AWS SDK clients using the the same ECS Server container credentials endpoint URL will utilize the same AWS IAM Role. Note that this feature is also compatible with the HTTP Client Provider.
Starting the ECS Server
The server runs in the foreground to make it easy to start via systemd and Docker.
aws-sso ecs run
Will start the service on localhost:4144
. For security purposes, the aws-sso
ECS Server will only run on localhost/127.0.0.1. You may select an alternative
port via the --port
flag or setting the AWS_SSO_ECS_PORT
environment variable.
Environment variables
AWS_CONTAINER_CREDENTIALS_FULL_URI
AWS clients and aws-sso
should use:
AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
It is important to not set AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
as that takes precidence for AWS_CONTAINER_CREDENTIALS_FULL_URI
and it is not
compatible with aws-sso
.
Selecting a role via ECS Server
Before you can assume a role, you must select an IAM role for the aws-sso ecs server to present to clients.
aws-sso ecs load
Will start the interactive profile selector. Or you may specify the --profile
flag or the --account
and --role
flags to specify the role on the command line.
Note: Subsequent calls to aws-sso ecs load
will alter the current IAM Role
for all AWS Client SDKs using it.
Assuming a role via ECS Server
Ensure you have exported the following shell ENV variable:
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/creds
Then just:
aws sts get-caller-identity
should show that you are using the IAM Role you loaded into the ecs server process.
Determining the current role
Since only one role can be loaded at any given time in the default slot, there may be times you would like to quickly determine the current role without resorting to an IAM call:
aws-sso ecs profile
will return the currently loaded default profile.
Unloading role credentials
If you would like to remove the default IAM Role credentials:
aws-sso ecs unload
Storing multiple roles at a time
There may be cases where you would like to make multiple roles available at the
same time without running multiple copies of the ECS server via aws-sso ecs run
.
Each role is stored in a unique named slot based on the ProfileName
which is
either set via Profile or the ProfileFormat configuration options.
Loading
Specify aws-sso ecs load --slotted ...
and the individual role will be stored in
it's unique named slot based on it's profile name.
Listing Profiles
To see a list of profiles loaded in named slots use aws-sso ecs list
.
Querying
Accessing the individual credentials is done via the profile
query parameter:
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:4144/slot/ExampleProfileName
Would utilize the ExampleProfileName
role. Note that the profile
parameter
value must be URL Escaped.
Unloading
To remove a specific IAM Role credential from a named slot in the ECS Server, you can use:
aws-sso ecs unload --profile <profile>
Errors
The ECS Server API endpoint generates errors with the following JSON format:
{
"code": "<HTTP error code>",
"message": "<message>"
}
Authentication
Support for the AWS_CONTAINER_AUTHORIZATION_TOKEN is TBD. Please vote for this feature if you want it!
HTTPS Transport
Support for using HTTPS is TBD. Please vote for this feature if you want it!
REST API
Default credentials
GET /
Fetch default credentials.
{
"AccessKeyId": "ASI....",
"SecretAccessKeyId": "<Secret Access Key ID>",
"Token": "<Temprorary security token>",
"Expiration": "<Date in RFC3339 / ISO8601 format>",
"RoleArn": "<ARN of the role>",
}
GET /profile
Fetch profile name of the default credentials.
{
"ProfileName": "<aws-sso profile name>",
"AccountId": "<AWS Account ID>",
"RoleName": "<IAM Role name>",
"Expiration": <Unix epoch seconds>,
"Expires": "<how long until expires string>"
}
PUT /
Upload default credentials.
{
"code": "<HTTP error code>",
"message": "<message>"
}
DELETE /
Delete default credentials.
{
"code": "<HTTP error code>",
"message": "<message>"
}
Slotted credentials
GET /slot
Fetch list of default credentials.
[
{
"ProfileName": "<profile name>",
"AccountId": "<AWS Account ID>",
"RoleName": "<IAM Role Name>",
"Expiration": <Unix Epoch Seconds>,
"Expires": "<how long until expires string>"
},
<more entries...>
]
GET /slot/<profile>
Fetch credentials of the named profile.
{
"AccessKeyId": "ASI....",
"SecretAccessKeyId": "<secret access key id value>",
"Token": "<temprorary security token>",
"Expiration": "<date in RFC3339 / ISO8601 format>",
"RoleArn": "<ARN of the role>",
}
PUT /slot/<profile>
Upload credentials of the named profile.
{
"code": "<HTTP error code>",
"message": "<message>"
}
DELETE /slot/<profile>
Delete credentials of the named profile.
{
"code": "<HTTP error code>",
"message": "<message>"
}
DELETE /slot
Delete all named credentials.
{
"code": "<HTTP error code>",
"message": "<message>"
}