Comparison

mod_aws_profile/mod_aws_profile.lua @ 3698:1d719d4ef18f

mod_aws_profile: New module for role-based access to AWS APIs
author Matthew Wild <mwild1@gmail.com>
date Tue, 08 Oct 2019 17:32:50 +0100
child 5725:616c0459aca7
comparison
equal deleted inserted replaced
3697:a07bd12fe554 3698:1d719d4ef18f
1 local http = require "net.http";
2 local json = require "util.json";
3 local parse_timestamp = require "util.datetime".parse;
4
5 module:set_global();
6
7 local current_credentials = module:shared("/*/aws_profile/credentials");
8
9 local function get_role_credentials(role_name, cb)
10 http.request("http://169.254.169.254/latest/meta-data/iam/security-credentials/"..role_name, nil, function (credentials_json)
11 local credentials = credentials_json and json.decode(credentials_json);
12 if not credentials or not (credentials.AccessKeyId and credentials.SecretAccessKey) then
13 module:log("warn", "Failed to fetch credentials for %q", role_name);
14 cb(nil);
15 return;
16 end
17 local expiry = parse_timestamp(credentials.Expiration);
18 local ttl = os.difftime(expiry, os.time());
19 cb({
20 access_key = credentials.AccessKeyId;
21 secret_key = credentials.SecretAccessKey;
22 ttl = ttl;
23 expiry = expiry;
24 });
25 end);
26 end
27
28 local function get_credentials(cb)
29 http.request("http://169.254.169.254/latest/meta-data/iam/security-credentials", nil, function (role_name)
30 role_name = role_name and role_name:match("%S+");
31 if not role_name then
32 module:log("warn", "Unable to discover role name");
33 cb(nil);
34 return;
35 end
36 get_role_credentials(role_name, cb);
37 end);
38 end
39
40 function refresh_credentials(force)
41 if not force and current_credentials.expiry and current_credentials.expiry - os.time() > 300 then
42 return;
43 end
44 get_credentials(function (credentials)
45 if not credentials then
46 module:log("warn", "Failed to refresh credentials!");
47 return;
48 end
49 current_credentials.access_key = credentials.access_key;
50 current_credentials.secret_key = credentials.secret_key;
51 current_credentials.expiry = credentials.expiry;
52 module:timer(credentials.ttl or 240, refresh_credentials);
53 module:fire_event("aws_profile/credentials-refreshed", current_credentials);
54 end);
55 end
56
57 function module.load()
58 refresh_credentials(true);
59 end