mirror of
https://github.com/prometheus/prometheus.git
synced 2024-12-25 21:54:10 -08:00
Feature: Allow getting credentials via EC2 role (#3343)
* Allow getting credentials via EC2 role This is subtly different than the existing `role_arn` solution, which allows Prometheus to assume an IAM role given some set of credentials already in-scope. With EC2 roles, one specifies the role at instance launch time (via an instance profile.) The instance then exposes temporary credentials via its metadata. The AWS Go SDK exposes a credential provider that polls the [instance metadata endpoint][1] already, so we can simply use that and it will take care of renewing the credentials when they expire. Without this, if this is being used inside EC2, it is difficult to cleanly allow the use of STS credentials. One has to set up a proxy role that can assume the role you really want, and launch the EC2 instance with the proxy role. This isn't very clean, and also doesn't seem to be [supported very well][2]. [1]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html [2]: https://github.com/aws/aws-cli/issues/1390 * Automatically try to detect EC2 role credentials The `Available()` function exposed on ec2metadata returns a simple true/false if the ec2 metadata is available. This is the best way to know if we're actually running in EC2 (which is the only valid use-case for this credential provider.) This allows this to "just work" if you are using EC2 instance roles.
This commit is contained in:
parent
099df0c5f0
commit
808f79f00a
|
@ -22,7 +22,9 @@ import (
|
|||
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
|
||||
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
||||
"github.com/aws/aws-sdk-go/aws/ec2metadata"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/go-kit/kit/log"
|
||||
"github.com/go-kit/kit/log/level"
|
||||
|
@ -137,6 +139,16 @@ func (d *Discovery) Run(ctx context.Context, ch chan<- []*config.TargetGroup) {
|
|||
}
|
||||
}
|
||||
|
||||
func (d *Discovery) ec2MetadataAvailable(sess *session.Session) (isAvailable bool) {
|
||||
svc := ec2metadata.New(sess, &aws.Config{
|
||||
MaxRetries: aws.Int(0),
|
||||
})
|
||||
|
||||
isAvailable = svc.Available()
|
||||
|
||||
return isAvailable
|
||||
}
|
||||
|
||||
func (d *Discovery) refresh() (tg *config.TargetGroup, err error) {
|
||||
t0 := time.Now()
|
||||
defer func() {
|
||||
|
@ -159,7 +171,12 @@ func (d *Discovery) refresh() (tg *config.TargetGroup, err error) {
|
|||
creds := stscreds.NewCredentials(sess, d.roleARN)
|
||||
ec2s = ec2.New(sess, &aws.Config{Credentials: creds})
|
||||
} else {
|
||||
ec2s = ec2.New(sess)
|
||||
if d.aws.Credentials == nil && d.ec2MetadataAvailable(sess) {
|
||||
creds := ec2rolecreds.NewCredentials(sess)
|
||||
ec2s = ec2.New(sess, &aws.Config{Credentials: creds})
|
||||
} else {
|
||||
ec2s = ec2.New(sess)
|
||||
}
|
||||
}
|
||||
tg = &config.TargetGroup{
|
||||
Source: *d.aws.Region,
|
||||
|
|
Loading…
Reference in a new issue