Multiple proxies for multiple roles.

[colegatron]

I run some workloads outside ec2 but I need each container have its own set of permissions. On the doc is not so clear how to get that configuration. It is just use a different instance of iam-docker with its own key pair and port.
This config let you keep the minimum permissions principle also outside ec2.

Would be nice to have a example showing how to run it in different ports. There is no mention about that possibility in the docs

$ PORT="40100"`
$ iptables -t nat \
-I PREROUTING \
-p tcp \
-d 169.254.169.254 \
--dport 80 \
-j REDIRECT \
--to-ports "$PORT" \
-i "$INTERFACE"
$ docker run --name iam_proxy -d \
-e AWS_ACCESS_KEY_ID=key4role1 \
-e AWS_SECRET_ACCESS_KEY=secret4role1 \
-e AWS_DEFAULT_REGION=eu-west-1 \
--volume /var/run/docker.sock:/var/run/docker.sock \
--net=host \
--entrypoint "/iam-docker" \
swipely/iam-docker:latest --listen-addr ":${PORT}"

Of course each application requires its own iptables rule.

[colegatron]

Reviewing it, to apply this the application requires the feature of routing roles through its corresponding iam_role instance, in order to use different a key pair for each role/group of roles.
As far as I see in the code, even if a iam_role instance is able to handle different roles, the idea behind this feature is not give more permissions to a container than it really needs needs.
With the current approach running multiple instances makes all the requests be routed through the same access key pair/prerouting rule.

I do not know golang, otherwise I would be pleased to add the feature myself and send you a pull request.