diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..817e194 --- /dev/null +++ b/README.md | |||
@@ -0,0 +1,115 @@ | |||
1 | # Mock Metadata Service | ||
2 | |||
3 | This software is still heavily a work-in-progress. The IAM functionality should | ||
4 | work but other stuff may not. Bug reports and pull requests welcome. | ||
5 | |||
6 | This package provides a mock metadata service that returns plausible | ||
7 | responses for most of the metadata service endpoints. It also provides a | ||
8 | full IAM temporary credential endpoint that will assume an IAM role and | ||
9 | continually refresh the credentials as time passes. All AWS SDKs and most AWS | ||
10 | agents are able to work with this interface provided that it is bound to | ||
11 | 169.254.169.254 port 80. | ||
12 | |||
13 | The daemon will attempt to bind two ports, port 80 on IP 169.245.169.254 | ||
14 | provides the mock metadata service that is only available on the instance. | ||
15 | Additionally port 8998 will be bound on all interfaces for the administrative | ||
16 | service. The administrative service is used to boostrap the daemon and provide | ||
17 | health-checking. | ||
18 | |||
19 | ## Setting up Interfaces | ||
20 | A loopback interface with IP address 169.254.169.254 is required by the daemon. | ||
21 | This can be accomplished on Linux with the following command: | ||
22 | |||
23 | ``` | ||
24 | sudo ip addr add 169.254.169.254/24 broadcast 169.254.169.255 dev lo:metadata | ||
25 | sudo ip link set dev lo:metadata up | ||
26 | sudo iptables -I INPUT 1 -d 169.254.0.0/16 ! -i lo -j DROP | ||
27 | ``` | ||
28 | |||
29 | *Note*: Do not bind this address to a publicly accessible interface or anyone | ||
30 | on the network will be able to use your AWS credentials. | ||
31 | |||
32 | ## Startup | ||
33 | On startup the daemon will bind the ports described above and will wait for a | ||
34 | bootstrap credential. At this time it will accept requests for all endpoints | ||
35 | but will return an IAM failure response for the assumed role. Once bootstrapped | ||
36 | it will assume the requested IAM role and begin serving credentials. | ||
37 | |||
38 | ## Health Checking | ||
39 | The daemon provides an HTTP endpoint on the administrative service to provide a | ||
40 | health status. The endpoint is `/status` and will return a JSON boolean (`true` | ||
41 | or `false`) to indicate that the daemon is running with a valid set of assumed | ||
42 | credentials. | ||
43 | |||
44 | ## Bootstrapping | ||
45 | Once the daemon has assumed a role it will continue to re-assume that role | ||
46 | using the credentials provided by the AssumeRole API call. However, initial | ||
47 | credentials are required to bootstrap the role. These credentials only need | ||
48 | permissions to assume the role, all other permissions should be granted to the | ||
49 | role itself. These credentials should be provided to the administrative service | ||
50 | using a POST request with a JSON body. | ||
51 | |||
52 | The POST endpoint is `/bootstrap/creds` and is write-only. The JSON formatted | ||
53 | message should contain an access key ID, a secret access key and optionally, a | ||
54 | session token. The format is: | ||
55 | |||
56 | ``` | ||
57 | { | ||
58 | "AccessKeyId": "AK...", | ||
59 | "SecretAccessKey": "...", | ||
60 | "Token": "..." | ||
61 | } | ||
62 | ``` | ||
63 | |||
64 | It is required to omit the token key or set the value to an empty string if no | ||
65 | token is available. | ||
66 | |||
67 | As soon as the bootstrap token is submitted the daemon will attempt to assume | ||
68 | the role it was started with and will begin allowing clients to reqeuest | ||
69 | credentials. | ||
70 | |||
71 | ## Known Missing Features | ||
72 | Many of these feature either don't make sense outside of AWS or are not | ||
73 | possible to emulate. | ||
74 | |||
75 | Instance identity document signing. This can not be implemented because only | ||
76 | AWS has the private key. | ||
77 | |||
78 | ``` | ||
79 | /latest/dynamic/instance-identity/signature | ||
80 | /latest/dynamic/instance-identity/pkcs7 | ||
81 | /latest/dynamic/instance-identity/rsa2048 | ||
82 | ``` | ||
83 | |||
84 | Block device mappings. May be available in the future. | ||
85 | |||
86 | ``` | ||
87 | /latest/meta-data/block-device-mapping/ami | ||
88 | /latest/meta-data/block-device-mapping/root | ||
89 | ``` | ||
90 | |||
91 | SSH keys. Will be available in a future release. | ||
92 | |||
93 | ``` | ||
94 | /latest/meta-data/public-keys/ | ||
95 | /latest/meta-data/public-keys/0/openssh-key | ||
96 | ``` | ||
97 | |||
98 | Network interface mapping. May be available in the future. | ||
99 | ``` | ||
100 | /latest/meta-data/network/interfaces/macs/ | ||
101 | /latest/meta-data/network/interfaces/macs/{mac}/device-number | ||
102 | /latest/meta-data/network/interfaces/macs/{mac}/interface-id | ||
103 | /latest/meta-data/network/interfaces/macs/{mac}/local-hostname | ||
104 | /latest/meta-data/network/interfaces/macs/{mac}/local-ipv4s | ||
105 | /latest/meta-data/network/interfaces/macs/{mac}/mac | ||
106 | /latest/meta-data/network/interfaces/macs/{mac}/owner-id | ||
107 | /latest/meta-data/network/interfaces/macs/{mac}/security-group-ids | ||
108 | /latest/meta-data/network/interfaces/macs/{mac}/security-groups | ||
109 | /latest/meta-data/network/interfaces/macs/{mac}/subnet-id | ||
110 | /latest/meta-data/network/interfaces/macs/{mac}/subnet-ipv4-cidr-block | ||
111 | /latest/meta-data/network/interfaces/macs/{mac}/vpc-id | ||
112 | /latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-block | ||
113 | /latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv4-cidr-blocks | ||
114 | /latest/meta-data/network/interfaces/macs/{mac}/vpc-ipv6-cidr-blocks | ||
115 | ``` | ||