Skip to content

Fulfillment-dot-com/mock-instance-profile

BranchesTags
 
 

Repository files navigation

Mock EC2 instance metadata endpoint using docker-compose

Based on slimm609/mock-instance-profile and information from amazon-ec2-metadata-mock

Using this you can generate a minimal alpine container to act as an ec2 metadata mock server that will serve real credentials based on a given role. The container can then be used in a docker-compose stack to act as the ec2 metadata server for any container you setup a custom network on.

Prerequisites

Create an IAM Role

This will be a role used as an ec2 instance profile

Specify a prinicpal for a trusted relationship

Edit the role (or while you are creating it) specify a trusted relationship for a principal (usually your IAM account).

An example on the role my-example-ec2-role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com",
                "AWS": "arn:aws:iam::MY_AWS_ACCOUNT:user/MY_IAM_USER"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Give the prinicpal AssumeRole

Can add as a permission directly or create a new policy.

Create a permission/policy that gives Assumerole for the same IAM account/principal you specified in the above step. You will specify the name of the Role you created above. Attach the policy to your account.

Example:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::MY_AWS_ACCOUNT:role/my-example-ec2-role"
    }
}

Docker-Compose Setup

You will need two supply two pieces of information:

  • *Role ARN -- The ARN for the Role you previously created
  • A method of supplying credentials to the ec2-metadata container through the default credential chain in order for the mock service to generate useable credentials.
    • The example below assumes you will use an IAM account key/secret passed through env
version: '3.7'

services:
  app:
    image: MY_APP_IMAGE
    networks:
      credentials_network:
        ipv4_address: "169.254.169.2"
      default:

  ec2Meta:
    image: ec2-meta-test
    build: 'https://github.com/Fulfillment-dot-com/mock-instance-profile.git'
    networks:
      credentials_network:
        # Special IP address is recognized by the AWS SDKs and AWS CLI
        ipv4_address: "169.254.169.254"
    environment:
      # The role ARN to generate credentials for
      PROFILE_ARN: "arn:aws:iam::MY_AWS_ACCOUNT:role/my-example-ec2-role"
      # Your IAM Account key
      AWS_ACCESS_KEY_ID: MY_KEY
      # Your IAM account secret
      AWS_SECRET_ACCESS_KEY: MY_SECRET

networks:
  default:
    name: myDefaultNetwork
  credentials_network:
    driver: bridge
    ipam:
      config:
        - subnet: "169.254.169.0/24"
          gateway: 169.254.169.1

About

Fully mock EC2 instance profile on local machines

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 51.2%
  • Shell 43.3%
  • Dockerfile 5.5%