diff --git a/doc/01-Installation-and-Configuration.md b/doc/01-Installation-and-Configuration.md index 961a87a..075b70b 100644 --- a/doc/01-Installation-and-Configuration.md +++ b/doc/01-Installation-and-Configuration.md @@ -24,10 +24,17 @@ Next please download and extract the [latest v2](https://github.com/aws/aws-sdk- the AWS PHP SDK [releases](https://github.com/aws/aws-sdk-php/releases) page. You need to extract the AWS PHP SDK v2 to `library/vendor/aws`. +AWS IAM role credentials +------------------------ + +If you run Icinga Web on AWS you can use IAM roles to allow access. This is the +default and there is nothing to configure. Select IAM role and configure access +in AWS itself. + AWS key configuration --------------------- -The last required step is to provide at least one AWS access key in `keys.ini`. +If you want to use access keys you need to have at least one key in `keys.ini`. Create a file `/etc/icingaweb2/modules/aws/keys.ini` as follows: ```ini diff --git a/doc/02-Usage.md b/doc/02-Usage.md index f18a532..c8c2fa2 100644 --- a/doc/02-Usage.md +++ b/doc/02-Usage.md @@ -42,11 +42,12 @@ You can choose your AWS region from a dropdown: ![AWS import source region](img/03_aws_import_region.png) -It is also necessary to choose one of your AWS keys: +It is also necessary to choose your preferred access method: ![AWS import source key](img/04_aws_import_source_key.png) -In case this list is empty, please check back to the [Installation and Configuration](01-Installation-and-Configuration.md) +In case you need a key and this list is empty, please check back to the +[Installation and Configuration](01-Installation-and-Configuration.md) section. Now you are ready to preview and/or run your first import. Don't worry, nothing bad will happen. An Import run just imports plain data from your import source, it won't touch any of your hosts or services in your diff --git a/doc/img/02_aws_import_source_basics.png b/doc/img/02_aws_import_source_basics.png index 52c7631..da8df1f 100644 Binary files a/doc/img/02_aws_import_source_basics.png and b/doc/img/02_aws_import_source_basics.png differ diff --git a/doc/img/03_aws_import_region.png b/doc/img/03_aws_import_region.png index ec0f09f..6ab403a 100644 Binary files a/doc/img/03_aws_import_region.png and b/doc/img/03_aws_import_region.png differ diff --git a/doc/img/04_aws_import_source_key.png b/doc/img/04_aws_import_source_key.png index 7ad809e..f1c3a10 100644 Binary files a/doc/img/04_aws_import_source_key.png and b/doc/img/04_aws_import_source_key.png differ diff --git a/library/Aws/AwsClient.php b/library/Aws/AwsClient.php index 72b3c5f..2cd0183 100644 --- a/library/Aws/AwsClient.php +++ b/library/Aws/AwsClient.php @@ -3,6 +3,8 @@ namespace Icinga\Module\Aws; use Aws\Common\Aws; +use Aws\Common\Credentials\RefreshableInstanceProfileCredentials; +use Aws\Common\Exception\InstanceProfileCredentialsException; use Icinga\Application\Config; class AwsClient @@ -13,7 +15,7 @@ class AwsClient protected $region; - public function __construct(AwsKey $key, $region) + public function __construct(AwsKey $key = null, $region) { $this->region = $region; $this->key = $key; @@ -224,10 +226,13 @@ protected function client() protected function initializeClient() { $params = array( - 'region' => $this->region, - 'credentials' => $this->key->getCredentials(), + 'region' => $this->region ); + if ($this->key instanceof AwsKey) { + $params['credentials'] = $this->key->getCredentials(); + } + $config = Config::module('aws'); if ($proxy = $config->get('network', 'proxy')) { $params['request.options'] = array( diff --git a/library/Aws/AwsKey.php b/library/Aws/AwsKey.php index a9a4bf4..9e4d943 100644 --- a/library/Aws/AwsKey.php +++ b/library/Aws/AwsKey.php @@ -59,7 +59,8 @@ public static function listNames() public static function enumKeyNames() { $names = static::listNames(); - return array_combine($names, $names); + $labels = array_map(function ($name) { return $name . ' (Key)'; }, $names); + return array_combine($names, $labels); } protected static function config() diff --git a/library/Aws/ProvidedHook/Director/ImportSource.php b/library/Aws/ProvidedHook/Director/ImportSource.php index d4855be..eb47990 100644 --- a/library/Aws/ProvidedHook/Director/ImportSource.php +++ b/library/Aws/ProvidedHook/Director/ImportSource.php @@ -14,10 +14,14 @@ class ImportSource extends ImportSourceHook public function fetchData() { - $client = new AwsClient( - AwsKey::loadByName($this->getSetting('aws_access_key')), - $this->getSetting('aws_region') - ); + $keyName = $this->getSetting('aws_access_key'); + $key = null; + + if ($keyName) { + $key = AwsKey::loadByName($keyName); + } + + $client = new AwsClient($key, $this->getSetting('aws_region')); switch ($this->getObjectType()) { case 'asg': @@ -124,13 +128,15 @@ public static function addSettingsFormFields(QuickForm $form) )); $form->addElement('select', 'aws_access_key', array( - 'label' => 'AWS access key', - 'required' => true, + 'label' => 'AWS access method', + 'required' => false, 'description' => $form->translate( - 'Your AWS key, this shows all keys from your keys.ini. Please' - . ' check the documentation in case this list is empty' + 'Use IAM role credential or select your AWS key. This shows all keys from your keys.ini.' + . ' Please check the documentation if you miss the keys in the list.' ), - 'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames()), + 'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames(), $form->translate( + 'IAM role credentials' + )), 'class' => 'autosubmit', ));