annotate mod_aws_profile/README.markdown @ 5256:44f7edd4f845

mod_http_oauth2: Reject non-local hosts in more code paths We're not issuing tokens for users on remote hosts, we can't even authenticate them since they're remote. Thus the host is always the local module.host so no need to pass around the host in most cases or use it for anything but enforcing the same host.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:52:10 +0100
parents 1d719d4ef18f
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3698
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 # Introduction
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 This module adds support for reading AWS IAM access credentials from EC2 instance metadata,
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 to allow Prosody modules to gain role-based access to AWS services.
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 # Configuring
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 ``` {.lua}
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 modules_enabled = {
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 "aws_profile";
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 }
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 ```
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 There is no other configuration.
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 # Usage in other modules
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 Other modules can import the credentials as a shared table:
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 ``` {.lua}
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 local aws_credentials = module:shared("/*/aws_profile/credentials");
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 do_something(aws_credentials.access_key, aws_credentials.secret_key);
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 ```
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 Note that credentials are time-limited, and will change periodically. The
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 shared table will automatically be updated. If you need to know when this
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 happens, you can also hook the `'aws_profile/credentials-refreshed'` event:
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 ``` {.lua}
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 module:hook_global("aws_profile/credentials-refreshed", function (new_credentials)
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 -- do something with new_credentials.access_key/secret_key
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 end);
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 ```
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 # Compatibility
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36
1d719d4ef18f mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 Meant for use with Prosody 0.11.x, may work in older versions.