From b3603a00685f9dec9821955b5958df408879173f Mon Sep 17 00:00:00 2001 From: Shu Suzuki Date: Mon, 1 Sep 2025 15:49:51 +0900 Subject: [PATCH] Add aws-profile opt --- README.md | 15 +++++++++++++++ aws-es-proxy.go | 30 ++++++++++++++++++++++++++---- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8e09bf53..f3783305 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,12 @@ export AWS_ACCESS_KEY_ID=AKID1234567890 export AWS_SECRET_ACCESS_KEY=MY-SECRET-KEY ``` +You can also use AWS profiles to manage multiple sets of credentials. Specify the profile using the `-aws-profile` flag: + +```sh +./aws-es-proxy -aws-profile myprofile -endpoint https://my-es-domain.region.es.amazonaws.com +``` + **aws-es-proxy** also supports `IAM roles`. To use IAM roles, you need to modify your Amazon Elasticsearch access policy to allow access from that role. Below is an Amazon Elasticsearch `access policy` example allowing access from any EC2 instance with an IAM role called `ec2-aws-elasticsearch`. ```json @@ -100,6 +106,13 @@ export ENDPOINT=https://test-es-somerandomvalue.eu-west-1.es.amazonaws.com Listening on 10.0.0.1:9200 ``` +Using a specific AWS profile: + +```sh +./aws-es-proxy -aws-profile production -endpoint https://test-es-somerandomvalue.eu-west-1.es.amazonaws.com +Listening on 127.0.0.1:9200 +``` + *aws-es-proxy* listens on 127.0.0.1:9200 if no additional argument is provided. You can change the IP and Port passing the argument `-listen` ```sh @@ -136,6 +149,8 @@ Usage of ./aws-es-proxy: Log user requests and ElasticSearch responses to files -no-sign-reqs Disable AWS Signature v4 + -aws-profile string + AWS credential profile name to use -password string HTTP Basic Auth Password -pretty diff --git a/aws-es-proxy.go b/aws-es-proxy.go index ae5651cc..c3021a45 100644 --- a/aws-es-proxy.go +++ b/aws-es-proxy.go @@ -90,6 +90,7 @@ type proxy struct { realm string remoteTerminate bool assumeRole string + profile string } func newProxy(args ...interface{}) *proxy { @@ -122,6 +123,7 @@ func newProxy(args ...interface{}) *proxy { realm: args[9].(string), remoteTerminate: args[10].(bool), assumeRole: args[11].(string), + profile: args[12].(string), } } @@ -198,12 +200,25 @@ func (p *proxy) parseEndpoint() error { func (p *proxy) getSigner() *v4.Signer { // Refresh credentials after expiration. Required for STS if p.credentials == nil { - sess, err := session.NewSession( - &aws.Config{ + // Set profile if specified + if p.profile != "" { + logrus.Infof("Using AWS profile: %s", p.profile) + } + + sessOptions := session.Options{ + Config: aws.Config{ Region: aws.String(p.region), CredentialsChainVerboseErrors: aws.Bool(true), }, - ) + SharedConfigState: session.SharedConfigEnable, + } + + // Set profile if specified + if p.profile != "" { + sessOptions.Profile = p.profile + } + + sess, err := session.NewSessionWithOptions(sessOptions) if err != nil { logrus.Debugln(err) } @@ -223,7 +238,11 @@ func (p *proxy) getSigner() *v4.Signer { provider.MaxJitterFrac = 0.1 }) } else { - logrus.Infoln("Using default credentials") + if p.profile != "" { + logrus.Infof("Using credentials from AWS profile: %s", p.profile) + } else { + logrus.Infoln("Using default credentials") + } creds = sess.Config.Credentials } @@ -485,6 +504,7 @@ func main() { timeout int remoteTerminate bool assumeRole string + profile string ) flag.StringVar(&endpoint, "endpoint", "", "Amazon ElasticSearch Endpoint (e.g: https://dummy-host.eu-west-1.es.amazonaws.com)") @@ -502,6 +522,7 @@ func main() { flag.StringVar(&realm, "realm", "", "Authentication Required") flag.BoolVar(&remoteTerminate, "remote-terminate", false, "Allow HTTP remote termination") flag.StringVar(&assumeRole, "assume", "", "Optionally specify role to assume") + flag.StringVar(&profile, "aws-profile", "", "AWS credential profile name to use") flag.Parse() if endpoint == "" { @@ -549,6 +570,7 @@ func main() { realm, remoteTerminate, assumeRole, + profile, ) if err = p.parseEndpoint(); err != nil {