1 files changed, 115 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..817e194
--- /dev/null
+++ b/README.md
@@ -0,0 +1,115 @@
+# Mock Metadata Service
+This software is still heavily a work-in-progress. The IAM functionality should
+work but other stuff may not. Bug reports and pull requests welcome.
+This package provides a mock metadata service that returns plausible
+responses for most of the metadata service endpoints. It also provides a
+full IAM temporary credential endpoint that will assume an IAM role and
+continually refresh the credentials as time passes. All AWS SDKs and most AWS
+agents are able to work with this interface provided that it is bound to
+169.254.169.254 port 80.
+The daemon will attempt to bind two ports, port 80 on IP 169.245.169.254
+provides the mock metadata service that is only available on the instance.
+Additionally port 8998 will be bound on all interfaces for the administrative
+service. The administrative service is used to boostrap the daemon and provide
+health-checking.
+## Setting up Interfaces
+A loopback interface with IP address 169.254.169.254 is required by the daemon.
+This can be accomplished on Linux with the following command:
+```
+sudo ip addr add 169.254.169.254/24 broadcast 169.254.169.255 dev lo:metadata
+sudo ip link set dev lo:metadata up
+sudo iptables -I INPUT 1 -d 169.254.0.0/16 ! -i lo -j DROP
+```
+*Note*: Do not bind this address to a publicly accessible interface or anyone
+on the network will be able to use your AWS credentials.
+## Startup
+On startup the daemon will bind the ports described above and will wait for a
+bootstrap credential. At this time it will accept requests for all endpoints
+but will return an IAM failure response for the assumed role. Once bootstrapped
+it will assume the requested IAM role and begin serving credentials.
+## Health Checking
+The daemon provides an HTTP endpoint on the administrative service to provide a
+health status. The endpoint is `/status` and will return a JSON boolean (`true`
+or `false`) to indicate that the daemon is running with a valid set of assumed
+credentials.
+## Bootstrapping
+Once the daemon has assumed a role it will continue to re-assume that role
+using the credentials provided by the AssumeRole API call. However, initial
+credentials are required to bootstrap the role. These credentials only need
+permissions to assume the role, all other permissions should be granted to the
+role itself. These credentials should be provided to the administrative service
+using a POST request with a JSON body.
+The POST endpoint is `/bootstrap/creds` and is write-only. The JSON formatted
+message should contain an access key ID, a secret access key and optionally, a
+session token. The format is:
+```
+{
+    "AccessKeyId": "AK...",
+    "SecretAccessKey": "...",
+    "Token": "..."
+}
+```
+It is required to omit the token key or set the value to an empty string if no
+token is available.
+As soon as the bootstrap token is submitted the daemon will attempt to assume
+the role it was started with and will begin allowing clients to reqeuest
+credentials.
+## Known Missing Features
+Many of these feature either don't make sense outside of AWS or are not
+possible to emulate.
+Instance identity document signing. This can not be implemented because only
+AWS has the private key. 
+```
+/latest/dynamic/instance-identity/signature
+/latest/dynamic/instance-identity/pkcs7
+/latest/dynamic/instance-identity/rsa2048
+```
+Block device mappings. May be available in the future.
+```
+/latest/meta-data/block-device-mapping/ami
+/latest/meta-data/block-device-mapping/root
+```
+SSH keys. Will be available in a future release.
+```
+/latest/meta-data/public-keys/
+/latest/meta-data/public-keys/0/openssh-key
+```
+Network interface mapping. May be available in the future.
+```
+/latest/meta-data/network/interfaces/macs/
+/latest/meta-data/network/interfaces/macs/{mac}/device-number
+/latest/meta-data/network/interfaces/macs/{mac}/interface-id
+/latest/meta-data/network/interfaces/macs/{mac}/local-hostname
+/latest/meta-data/network/interfaces/macs/{mac}/local-ipv4s
+/latest/meta-data/network/interfaces/macs/{mac}/mac
+/latest/meta-data/network/interfaces/macs/{mac}/owner-id
+/latest/meta-data/network/interfaces/macs/{mac}/security-group-ids
+/latest/meta-data/network/interfaces/macs/{mac}/security-groups
+/latest/meta-data/network/interfaces/macs/{mac}/subnet-id
+/latest/meta-data/network/interfaces/macs/{mac}/subnet-ipv4-cidr-block
+/latest/meta-data/network/interfaces/macs/{mac}/vpc-id
+/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-block
+/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-blocks
+/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv6-cidr-blocks
+```

diff --git a/README.md b/README.md new file mode 100644 index 0000000..817e194 --- /dev/null +++ b/README.md
@@ -0,0 +1,115 @@
	1	# Mock Metadata Service
	2
	3	This software is still heavily a work-in-progress. The IAM functionality should
	4	work but other stuff may not. Bug reports and pull requests welcome.
	5
	6	This package provides a mock metadata service that returns plausible
	7	responses for most of the metadata service endpoints. It also provides a
	8	full IAM temporary credential endpoint that will assume an IAM role and
	9	continually refresh the credentials as time passes. All AWS SDKs and most AWS
	10	agents are able to work with this interface provided that it is bound to
	11	169.254.169.254 port 80.
	12
	13	The daemon will attempt to bind two ports, port 80 on IP 169.245.169.254
	14	provides the mock metadata service that is only available on the instance.
	15	Additionally port 8998 will be bound on all interfaces for the administrative
	16	service. The administrative service is used to boostrap the daemon and provide
	17	health-checking.
	18
	19	## Setting up Interfaces
	20	A loopback interface with IP address 169.254.169.254 is required by the daemon.
	21	This can be accomplished on Linux with the following command:
	22
	23	```
	24	sudo ip addr add 169.254.169.254/24 broadcast 169.254.169.255 dev lo:metadata
	25	sudo ip link set dev lo:metadata up
	26	sudo iptables -I INPUT 1 -d 169.254.0.0/16 ! -i lo -j DROP
	27	```
	28
	29	Note: Do not bind this address to a publicly accessible interface or anyone
	30	on the network will be able to use your AWS credentials.
	31
	32	## Startup
	33	On startup the daemon will bind the ports described above and will wait for a
	34	bootstrap credential. At this time it will accept requests for all endpoints
	35	but will return an IAM failure response for the assumed role. Once bootstrapped
	36	it will assume the requested IAM role and begin serving credentials.
	37
	38	## Health Checking
	39	The daemon provides an HTTP endpoint on the administrative service to provide a
	40	health status. The endpoint is `/status` and will return a JSON boolean (`true`
	41	or `false`) to indicate that the daemon is running with a valid set of assumed
	42	credentials.
	43
	44	## Bootstrapping
	45	Once the daemon has assumed a role it will continue to re-assume that role
	46	using the credentials provided by the AssumeRole API call. However, initial
	47	credentials are required to bootstrap the role. These credentials only need
	48	permissions to assume the role, all other permissions should be granted to the
	49	role itself. These credentials should be provided to the administrative service
	50	using a POST request with a JSON body.
	51
	52	The POST endpoint is `/bootstrap/creds` and is write-only. The JSON formatted
	53	message should contain an access key ID, a secret access key and optionally, a
	54	session token. The format is:
	55
	56	```
	57	{
	58	"AccessKeyId": "AK...",
	59	"SecretAccessKey": "...",
	60	"Token": "..."
	61	}
	62	```
	63
	64	It is required to omit the token key or set the value to an empty string if no
	65	token is available.
	66
	67	As soon as the bootstrap token is submitted the daemon will attempt to assume
	68	the role it was started with and will begin allowing clients to reqeuest
	69	credentials.
	70
	71	## Known Missing Features
	72	Many of these feature either don't make sense outside of AWS or are not
	73	possible to emulate.
	74
	75	Instance identity document signing. This can not be implemented because only
	76	AWS has the private key.
	77
	78	```
	79	/latest/dynamic/instance-identity/signature
	80	/latest/dynamic/instance-identity/pkcs7
	81	/latest/dynamic/instance-identity/rsa2048
	82	```
	83
	84	Block device mappings. May be available in the future.
	85
	86	```
	87	/latest/meta-data/block-device-mapping/ami
	88	/latest/meta-data/block-device-mapping/root
	89	```
	90
	91	SSH keys. Will be available in a future release.
	92
	93	```
	94	/latest/meta-data/public-keys/
	95	/latest/meta-data/public-keys/0/openssh-key
	96	```
	97
	98	Network interface mapping. May be available in the future.
	99	```
	100	/latest/meta-data/network/interfaces/macs/
	101	/latest/meta-data/network/interfaces/macs/{mac}/device-number
	102	/latest/meta-data/network/interfaces/macs/{mac}/interface-id
	103	/latest/meta-data/network/interfaces/macs/{mac}/local-hostname
	104	/latest/meta-data/network/interfaces/macs/{mac}/local-ipv4s
	105	/latest/meta-data/network/interfaces/macs/{mac}/mac
	106	/latest/meta-data/network/interfaces/macs/{mac}/owner-id
	107	/latest/meta-data/network/interfaces/macs/{mac}/security-group-ids
	108	/latest/meta-data/network/interfaces/macs/{mac}/security-groups
	109	/latest/meta-data/network/interfaces/macs/{mac}/subnet-id
	110	/latest/meta-data/network/interfaces/macs/{mac}/subnet-ipv4-cidr-block
	111	/latest/meta-data/network/interfaces/macs/{mac}/vpc-id
	112	/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-block
	113	/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-blocks
	114	/latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv6-cidr-blocks
	115	```