This is a glibc NSS (name server switch) module, which does the query against AWS IAM user and group registry.
$ make
will produce libnss_awsiam_go.so in the current working directory. You can put it under /lib/x86_64-linux-gnu (may vary by the configuration of your OS) as libnss_awsiam_go.so.2 to get it to work.
Configuration is done through the configuration variable file (/etc/nss_awsiam_go.conf).
For security reasons, this module doesn't accept shared configuration and credentials under ~/.aws.
In addition to the default AWS SDK configuration scheme, it supports STS credentials for a assumed role through the following environment variables:
-
AWS_STS_ASSUME_ROLE_ARNThis specifies the ARN for the assumed (target) IAM role. The difference from
AWS_ROLE_ARNis that this can be used in nested STS contexts.
You can configure the querying behavior by the following special environment variable:
-
NSS_AWSIAM_GO_TIMEOUTSpecifies the timeout value of the query. Defaults to 3 seconds.
-
NSS_AWSIAM_GO_DEBUGTakes an integer value. 1 to enable error reporting, and 2 to enable AWS API request debugging.
-
NSS_AWSIAM_GO_DEFAULT_SHELLSpecify the default shell for all users.
-
NSS_AWSIAM_GO_HOMEDIR_TEMPLATESpecify the home directory template applied for all users. You can use the placeholder
{userName},{userId}, or{uid}everywhere in the template.
The following IAM permissions are necessary to grant to the IAM role with which the instance (or container) runs.
iam:GetGroupiam:GetGroupsForUseriam:GetSSHPublicKeyiam:GetUseriam:ListUseriam:ListGroup
Since Go 1.14, it started to use SIGURG to do the non-cooperative preemption. This may be troublesome because the hosting application will also receive the signal. This module should work without preemption. To prevent the preemption, specify GODEBUG=asyncpreemptoff=1.
MIT License