Merge pull request #11 from soemeier/master

mqasimsarfraz · web-flow · commit 2fad57ee2d6f · 2020-06-15T10:27:40.000+02:00
Allow to use aws ec2 roles for authentication
diff --git a/README.md b/README.md
@@ -18,8 +18,9 @@ The proxy is packaged in a docker container and can be configured with following
 | Environment Variable                | Description                                    | Status                            | Default    |
 | :---------------------------------: | :--------------------------------------------: | :-------------------------------: | :--------: |
 | `AWS_REGION`                        | AWS Region for AWS ECR                         | Required                          |            |
-| `AWS_ACCESS_KEY_ID`                 | AWS Account Access Key ID                      | Required                          |            |
-| `AWS_SECRET_ACCESS_KEY`             | AWS Account Secret Access Key                  | Required                          |            |
+| `AWS_ACCESS_KEY_ID`                 | AWS Account Access Key ID                      | Optional                          |            |
+| `AWS_SECRET_ACCESS_KEY`             | AWS Account Secret Access Key                  | Optional                          |            |
+| `AWS_USE_EC2_ROLE_FOR_AUTH`                  | Set this to true if we do want to use aws roles for authentication instead of providing the secret and access keys explicitly | Optional                          |            |
 | `UPSTREAM`                          | URL for AWS ECR                                | Required                          |            |
 | `RESOLVER`                          | DNS server to be used by proxy                 | Required                          |            |
 | `PORT`                              | Port on which proxy listens                    | Required                          |            |
diff --git a/files/startup.sh b/files/startup.sh
@@ -23,9 +23,11 @@ if [ -z "$AWS_REGION" ] ; then
   exit 1
 fi
 
-if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
-  echo "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set."
-  exit 1
+if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then
+  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    echo "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set."
+    exit 1
+  fi
 fi
 
 UPSTREAM_WITHOUT_PORT=$( echo ${UPSTREAM} | sed -r "s/.*:\/\/(.*):.*/\1/g")
@@ -64,9 +66,12 @@ AWS_FOLDER='/root/.aws'
 mkdir -p ${AWS_FOLDER}
 echo "[default]" > ${AWS_FOLDER}/config
 echo "region = $AWS_REGION" >> ${AWS_FOLDER}/config
-echo "[default]" > ${AWS_FOLDER}/credentials
-echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> ${AWS_FOLDER}/credentials
-echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> ${AWS_FOLDER}/credentials
+
+if [ -z "$AWS_USE_EC2_ROLE_FOR_AUTH" ] || [ "$AWS_USE_EC2_ROLE_FOR_AUTH" != "true" ]; then
+  echo "[default]" > ${AWS_FOLDER}/credentials
+  echo "aws_access_key_id=$AWS_ACCESS_KEY_ID" >> ${AWS_FOLDER}/credentials
+  echo "aws_secret_access_key=$AWS_SECRET_ACCESS_KEY" >> ${AWS_FOLDER}/credentials
+fi
 chmod 600 -R ${AWS_FOLDER}
 
 # add the auth token in default.conf
