Home / user-68046

Wren T.'s questions

Martin Hope
Wren T.
Asked: 2014-03-27 15:05:02 +0800 CST
  • 11

I have an IAM role with the following policy attached:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

As you can see, full access is granted.

I use the following python to get the convert the IAM credentials to SMTP credentials:

#!/usr/bin/env python

from __future__ import print_function

import base64
import hashlib
import hmac
import json
import struct
import urllib2

METADATA_BASE = 'http://169.254.169.254/2012-01-12/meta-data'


def main():
    access_key_id, secret_access_key = get_access_creds()
    username, password = get_smtp_creds(access_key_id, secret_access_key)

    print('SMTP Username: %s' % username)
    print('SMTP Password: %s' % password)


def get_access_creds():
    url_handle = urllib2.urlopen('%s/iam/security-credentials' %
                                 (METADATA_BASE,))
    role_name = url_handle.read()
    url_handle.close()

    url_handle = urllib2.urlopen('%s/iam/security-credentials/%s' %
                                 (METADATA_BASE, role_name))
    sec_cred_doc = url_handle.read()
    url_handle.close()

    sec_cred_data = json.loads(sec_cred_doc)
    access_key_id =  buffer(sec_cred_data['AccessKeyId'])
    secret_access_key = buffer(sec_cred_data['SecretAccessKey'])

    return access_key_id, secret_access_key


def get_smtp_creds(access_key_id, secret_access_key):
    message = 'SendRawEmail'
    version = 0x02

    sig= hmac.new(
        secret_access_key,
        msg=message,
        digestmod=hashlib.sha256)
    sig_bytes = sig.digest()
    sig_and_version_bytes = (struct.pack('B', version) + sig_bytes)
    smtp_password = base64.b64encode(sig_and_version_bytes)

    return access_key_id, smtp_password

if __name__ == '__main__':
    main()

When I run this code, some SMTP username and password are output. When I try to send a message with those with say swaks, for example, it fails. Here's an example command line:

swaks -s email-smtp.us-east-1.amazonaws.com --from [email protected] --to [email protected] --auth-user <smtp username from script above> --auth-password <smtp password from script above> --tls

Example.com is, of course, a placeholder. The real domain has been verified on my AWS SES account.

In fact, if I run the same code to convert from an IAM user instead of discovering the role credentials from the meta-data, I can use the username and password to send email just fine.

AFAICT, this just isn't allowed with IAM role credentials, which is lame if it's true. I was planning on generating a Postfix config to allow processes on the box to send mail to localhost and have that routed to the SES service. I was trying to avoid putting IAM user credentials on the servers. However, it looks like there may not be a way to avoid that now.

Any thoughts?

amazon-ses
Martin Hope
Wren T.
Asked: 2013-02-03 14:28:46 +0800 CST
  • 4

I servers that have a shared ethernet port for IPMI and the first NIC. They have 4-1GbE nics. I would like to bond the nics via LACP while still being able to access the IPMI over a tagged vlan only on the first physical port since the IPMI is only shared on the first physical port. I am also considering buying Force10 S50N switches for my rack. However, I am not sure if this setup can be achieved with FTOS.

FTR, I have managed to achieve this setup with two linux virtual machines. I bonded the ethernet devices on each end. Then I added a vlan to one interface of the bonded links and was able to maintain pings and ssh connections through both networks. The machines were connected physically like so:

Mach A     Mach B
eth2<----->eth2
eth3<----->eth3

Here are the commands I used to setup the connections:

On Mach A as root:

# modprobe bonding mode=4          # mode=4 means 802.3ad or LACP bonding
# ip link add bond0 type bond      # start setting up bonded link
# ip link set eth2 master bond0
# ip link set eth3 master bond0
# ip addr add 192.168.90.1/24 dev bond0
# ip link set bond0 up
# ip link add link eth2.1000 name eth2 type vlan id 1000
# ip addr add 192.168.91.1/24 dev eth2.1000
# ip link set eth2 up
# ip link set eth2.1000 up

On Mach B, I just replaced the ip addresses with 192.168.90.2 and 192.168.91.2 for bond0 and eth2.1000 respectively.

I was able to flood ping both simultaneously networks with no packet loss. I was also able to reliable ssh across the machines on both networks while flood pinging.

So, can Force10 switches also be setup this way? If not Force10, are there any switch brands that might work better for me?

linux