mirror of https://github.com/zulip/zulip.git
43 lines
1.5 KiB
Bash
43 lines
1.5 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# This uses AWS IAM Roles Anywhere[1] to acquire the NonAWSInstance
|
|
# role for the whole server. It does this by having configured the
|
|
# Teleport CA to be a "trust anchor," allowing the Teleport host
|
|
# certificate to be used for authentication; the NonAWSInstance role
|
|
# itself has a trust relationship which lists the CA as sufficient to
|
|
# authorize for the role.
|
|
#
|
|
# [1]: https://docs.aws.amazon.com/rolesanywhere/latest/userguide
|
|
|
|
set -eu
|
|
|
|
# Check if we have cached credentials; they're good for 60 minutes, so
|
|
# check within 55min.
|
|
cache="/etc/aws-credential-cache.json"
|
|
if [ -s "$cache" ] && [ "$(find "$cache" -mmin -55)" ]; then
|
|
cat "$cache"
|
|
exit 0
|
|
fi
|
|
|
|
# Extract the current host cert and key from the Teleport database.
|
|
# These are nominally static for the lifetime of the host, but there's
|
|
# little reason to not refresh them on every run, in case they get
|
|
# rotated.
|
|
|
|
teleport_json=$(
|
|
sqlite3 /var/lib/teleport/proc/sqlite.db "select value from kv where key = '/ids/node/current'"
|
|
)
|
|
|
|
# $teleport_json is a secret (it has the host key) so extract it
|
|
# carefully (i.e. not using `echo $teleport_json"`")
|
|
jq -r .spec.tls_cert <<<"$teleport_json" | base64 -d >/var/lib/teleport/host.crt
|
|
jq -r .spec.key <<<"$teleport_json" | base64 -d >/var/lib/teleport/host.key
|
|
|
|
# Write the cache out
|
|
/srv/zulip-aws-tools/bin/aws_signing_helper credential-process \
|
|
--certificate /var/lib/teleport/host.crt \
|
|
--private-key /var/lib/teleport/host.key \
|
|
"$@" >"$cache"
|
|
|
|
cat "$cache"
|