From 32c65486487c6689d2f3432128ece09f8fe38840 Mon Sep 17 00:00:00 2001 From: Gene Ting Date: Wed, 12 Feb 2025 22:37:43 -0500 Subject: [PATCH 1/2] * add steps to build aws_signing_helper in installer stage * copy aws_signing_helper from installer stage to final image * add instructions how to use IAM Roles Anywhere with image --- README.rst | 17 +++++++++++++++++ docker/Dockerfile | 13 ++++++++++--- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index c7d24ab17cb8..050073cf2bca 100644 --- a/README.rst +++ b/README.rst @@ -102,6 +102,7 @@ Before using aws-cli, you need to tell it about your AWS credentials. You can do this in several ways: * Environment variables +* `IAM Roles Anywhere ` with a public certificate and private key * Shared credentials file * Config file * IAM Role @@ -119,6 +120,22 @@ To use environment variables, do the following:: $ export AWS_ACCESS_KEY_ID= $ export AWS_SECRET_ACCESS_KEY= +To use IAM Roles Anywhere, you must first complete the following: +* Have a public certificate and private key pair issued by your private certificate authority (CA). You well need the CA public certificate or an instance of `AWS Private CA ` as well +* Setup your trust anchors and profiles by following the `IAM Roles Anywhere documentation ` + +Once you complete the pre-requisites, you can test your setup with the following:: + docker run --rm -v ::ro --entrypoint aws_signing_helper amazon/aws-cli --region --certificate / --private-key / --profile-arn --role-arn --trust-anchor-arn + +To use it with the AWS CLI, first create a config file like this:: + [profile default] + credential_process = /usr/bin/aws_signing_helper --region --certificate / --private-key / --profile-arn --role-arn --trust-anchor-arn + +Then you can test an AWS command, like the following:: + docker run --rm -v ::ro -v :/root/.aws:ro amazon/aws-cli s3api list-buckets + +You must replace the following variables in the examples above:: + * To use the shared credentials file, create an INI formatted file like this:: [default] diff --git a/docker/Dockerfile b/docker/Dockerfile index 36b06c668cb2..b36d84fe21ee 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/amazonlinux/amazonlinux:2 as installer +FROM public.ecr.aws/amazonlinux/amazonlinux:2 AS installer ARG EXE_FILENAME=awscli-exe-linux-x86_64.zip COPY $EXE_FILENAME . RUN yum update -y \ @@ -9,7 +9,12 @@ RUN yum update -y \ # into /usr/local/bin of the final stage without # accidentally copying over any other executables that # may be present in /usr/local/bin of the installer stage. - && ./aws/install --bin-dir /aws-cli-bin/ + && ./aws/install --bin-dir /aws-cli-bin/ \ + # build the IAM Roles Anywhere signing helper + && yum -y groupinstall 'Development Tools' && yum -y install golang-go \ + && git clone https://github.com/aws/rolesanywhere-credential-helper.git \ + && cd /rolesanywhere-credential-helper \ + && make release FROM public.ecr.aws/amazonlinux/amazonlinux:2 RUN yum update -y \ @@ -17,5 +22,7 @@ RUN yum update -y \ && yum clean all COPY --from=installer /usr/local/aws-cli/ /usr/local/aws-cli/ COPY --from=installer /aws-cli-bin/ /usr/local/bin/ +COPY --from=installer /rolesanywhere-credential-helper/build/bin/* /usr/bin/ + WORKDIR /aws -ENTRYPOINT ["/usr/local/bin/aws"] +ENTRYPOINT ["/usr/local/bin/aws"] \ No newline at end of file From 3351cb1d7c84acb750b02bd7b5dfc4ca6d97304b Mon Sep 17 00:00:00 2001 From: Gene Ting Date: Wed, 12 Feb 2025 22:45:50 -0500 Subject: [PATCH 2/2] * modify aws_signing_helper location in final stage * modify README to reflect location change --- README.rst | 8 +++++--- docker/Dockerfile | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index 050073cf2bca..cefd510d41a1 100644 --- a/README.rst +++ b/README.rst @@ -125,11 +125,13 @@ To use IAM Roles Anywhere, you must first complete the following: * Setup your trust anchors and profiles by following the `IAM Roles Anywhere documentation ` Once you complete the pre-requisites, you can test your setup with the following:: - docker run --rm -v ::ro --entrypoint aws_signing_helper amazon/aws-cli --region --certificate / --private-key / --profile-arn --role-arn --trust-anchor-arn + docker run --rm -v ::ro --entrypoint /usr/local/bin/aws_signing_helper amazon/aws-cli --region --certificate / --private-key / --profile-arn --role-arn --trust-anchor-arn -To use it with the AWS CLI, first create a config file like this:: +To use it with the AWS CLI, first create a configuration file like this:: [profile default] - credential_process = /usr/bin/aws_signing_helper --region --certificate / --private-key / --profile-arn --role-arn --trust-anchor-arn + credential_process = /usr/local/bin/aws_signing_helper --region --certificate / --private-key / --profile-arn --role-arn --trust-anchor-arn + +and place it in ~/.aws/config. If you place this else where, you will need to use that directory path for the next step. Then you can test an AWS command, like the following:: docker run --rm -v ::ro -v :/root/.aws:ro amazon/aws-cli s3api list-buckets diff --git a/docker/Dockerfile b/docker/Dockerfile index b36d84fe21ee..97b71695548a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -22,7 +22,7 @@ RUN yum update -y \ && yum clean all COPY --from=installer /usr/local/aws-cli/ /usr/local/aws-cli/ COPY --from=installer /aws-cli-bin/ /usr/local/bin/ -COPY --from=installer /rolesanywhere-credential-helper/build/bin/* /usr/bin/ +COPY --from=installer /rolesanywhere-credential-helper/build/bin/* /usr/local/bin/ WORKDIR /aws ENTRYPOINT ["/usr/local/bin/aws"] \ No newline at end of file