Mercurial > prosody-modules
annotate mod_aws_profile/mod_aws_profile.lua @ 4203:c4002aae4ad3
mod_s2s_keepalive: Use timestamp as iq @id
RFC 6120 implies that the id attribute must be unique within a stream.
This should fix problems with remote servers that enforce uniqueness and
don't answer duplicated ids.
If it doesn't do that, then at least you can get a guesstimate at
round-trip time from the difference between the result iq stanza and the
timestamp it was logged without having to go look for when it was sent,
or needing to keep state.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 14 Oct 2020 18:02:10 +0200 |
| parents | 1d719d4ef18f |
| children | 616c0459aca7 |
| rev | line source |
|---|---|
|
3698
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local http = require "net.http"; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local json = require "util.json"; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local parse_timestamp = require "util.datetime".parse; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 module:set_global(); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 local current_credentials = module:shared("/*/aws_profile/credentials"); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local function get_role_credentials(role_name, cb) |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 http.request("http://169.254.169.254/latest/meta-data/iam/security-credentials/"..role_name, nil, function (credentials_json) |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local credentials = credentials_json and json.decode(credentials_json); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 if not credentials or not (credentials.AccessKeyId and credentials.SecretAccessKey) then |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 module:log("warn", "Failed to fetch credentials for %q", role_name); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 cb(nil); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 return; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 local expiry = parse_timestamp(credentials.Expiration); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 local ttl = os.difftime(expiry, os.time()); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 cb({ |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 access_key = credentials.AccessKeyId; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 secret_key = credentials.SecretAccessKey; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 ttl = ttl; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 expiry = expiry; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 }); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 local function get_credentials(cb) |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 http.request("http://169.254.169.254/latest/meta-data/iam/security-credentials", nil, function (role_name) |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 role_name = role_name and role_name:match("%S+"); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 if not role_name then |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 module:log("warn", "Unable to discover role name"); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 cb(nil); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 return; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 get_role_credentials(role_name, cb); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 end); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 function refresh_credentials(force) |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 if not force and current_credentials.expiry and current_credentials.expiry - os.time() > 300 then |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 return; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 get_credentials(function (credentials) |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 if not credentials then |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 module:log("warn", "Failed to refresh credentials!"); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 return; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 current_credentials.access_key = credentials.access_key; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 current_credentials.secret_key = credentials.secret_key; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 current_credentials.expiry = credentials.expiry; |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 module:timer(credentials.ttl or 240, refresh_credentials); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 module:fire_event("aws_profile/credentials-refreshed", current_credentials); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 end); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 end |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 function module.load() |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 refresh_credentials(true); |
|
1d719d4ef18f
mod_aws_profile: New module for role-based access to AWS APIs
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 end |