Merge pull request #109 from ryan-lane/aws-vault-ecs-server

Add an option to patch boto to support ecs-server mode of aws-vault
lyft · May 20, 2021 · 0c09033 · 0c09033
2 parents 258c932 + 25ee889
commit 0c09033
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.2.0
+
+* Added `PATCH_ECS_ALLOWED_HOSTS` config setting, to support aws-vault's --ecs-server option
+
 ## 2.1.0
 
 * Fix for the gunicorn logging run location in gunicorn.conf, when trying to catch an exception that only exists in python3.

diff --git a/README.md b/README.md
@@ -89,6 +89,7 @@ script, or set via docker environment variables.
 | ROLE\_MAPPING\_FILE | Path String | | A json file that has a dict mapping of IP addresses to role names. Can be used if docker networking has been disabled and you are managing IP addressing for containers through another process. |
 | ROLE\_REVERSE\_LOOKUP | Boolean | False | Enable performing a reverse lookup of incoming IP addresses to match containers by hostname. Useful if you've disabled networking in docker, but set hostnames for containers in /etc/hosts or DNS. |
 | HOSTNAME\_MATCH\_REGEX | Regex String | `^.*$` | Limit reverse lookup container matching to hostnames that match the specified pattern. |
+| PATCH_ECS_ALLOWED_HOSTS | String | | Patch botocore's allowed hosts for ContainerMetadataFetcher to support aws-vault's --ecs-server option. This will inject the provided host into the allowed addresses botocore will allow for the AWS_CONTAINER_CREDENTIALS_FULL_URI environment. |
 
 #### Default Roles
 

diff --git a/metadataproxy/__init__.py b/metadataproxy/__init__.py
@@ -6,6 +6,10 @@
 app.config.from_object(settings)
 app.debug = app.config['DEBUG']
 
+if app.config['PATCH_ECS_ALLOWED_HOSTS']:
+    from botocore.utils import ContainerMetadataFetcher  # NOQA
+    ContainerMetadataFetcher._ALLOWED_HOSTS.append(app.config['PATCH_ECS_ALLOWED_HOSTS'])
+
 if app.config['MOCK_API']:
     from metadataproxy.routes import mock  # NOQA
 else:

diff --git a/metadataproxy/settings.py b/metadataproxy/settings.py
@@ -111,3 +111,8 @@ def str_env(var_name, default=''):
 MESOS_STATE_URL = str_env('MESOS_STATE_URL', 'http://localhost:5051/state')
 # Timeout to use when calling the mesos state endpoint
 MESOS_STATE_TIMEOUT = int_env('MESOS_STATE_TIMEOUT', 2)
+
+# Patch botocore's allowed hosts for ContainerMetadataFetcher to support aws-vault's
+# --ecs-server option. This will inject docker for mac's URL for the host into the
+# allowed addresses botocore will talk to.
+PATCH_ECS_ALLOWED_HOSTS = str_env('PATCH_ECS_ALLOWED_HOSTS')
diff --git a/setup.py b/setup.py
@@ -25,7 +25,7 @@
 
 setup(
     name="metadataproxy",
-    version="2.1.0",
+    version="2.2.0",
     packages=find_packages(exclude=["test*"]),
     include_package_data=True,
     zip_safe=False,