Skip to content

Instantly share code, notes, and snippets.

View inkblot's full-sized avatar

Nate Riffe inkblot

12 followers · 10 following
  • Chicago
View GitHub Profile
@inkblot
inkblot / aws-credentials.sh
Last active November 19, 2023 15:03
Authenticate to vault using IAM instance profile credentials in bash using curl, openssl, and jq
#!/bin/bash
_SELF="${0##*/}"
_HERE="$(dirname $(realpath ${0}))"
function aws_instance_profile_arn() {
curl -s http://169.254.169.254/2019-10-01/meta-data/iam/info | jq -r .InstanceProfileArn
}
function aws_instance_profile_name() {
@inkblot
inkblot / parse-url.sh
Created March 29, 2020 02:02
Parse a URL in bash without forking
#!/bin/bash
_SELF="${0##*/}"
_HERE="$(dirname $(realpath ${0}))"
function parse_url() {
local url _url __url proto uphp user_pass host_port user pass host port path query_string
url="${1}"
@inkblot
inkblot / better-amazon-ecs-agent-task-roles.md
Last active January 20, 2024 22:17
ECS Task Roles - A Better Way

ECS Task Roles

ECS task roles are a great security feature that are hard to set up.

The Orthodoxy

The Amazon ECS documentation on setting up task roles tells you to do some questionable things. Among other things, it tells you to run the ECS agent with host networking (a security risk), use an iptables rule to cut off traffic from bridged containers to the host metadata (brittle), and set up additional iptables rules and sysctl settings to route 169.254.170.2:80 to the ECS agent on 127.0.0.1:51679 (brittle again).

Some Observations

@inkblot
inkblot / keybase.md
Created August 20, 2015 20:20

Keybase proof

I hereby claim:

  • I am inkblot on github.
  • I am nriffe (https://keybase.io/nriffe) on keybase.
  • I have a public key whose fingerprint is 0DAC F5CB D182 3165 D757 C466 CD42 12A8 05A0 58E0

To claim this, I am signing this object: