Skip to content

Allow configuration of the HTTP server listen address #68

Open
@Cleptomania

Description

@Cleptomania

Currently, the agent is hardcoded to bind to the localhost address of 127.0.0.1. Understanding that this is definitely a sane default and only functioning on a local interface removes a lot of the security considerations one would need to make in the usage of this tool if it were otherwise, is there a downside to making this configurable?

An example use case that I would want to use this feature for is the following:

Currently, secretsmanager-agent can only be used with ECS clusters that are using self managed EC2 instances as their capacity, meaning that no services which run on Fargate are able to utilize this tool, since we don't have the ability to control the underlying machines and deploy this to them.

Being able to change the listen address of the HTTP server opens up a possibility where secretsmanager-agent could be deployed as an ECS service itself, running on Fargate. The idea would be to then put a load balancer in front of secretsmanager-agent and let it be accessed by other ECS services over the private network.

Users would need to accept and understand/account for the risks that binding to an interface other than localhost might carry, but it would be nice to have the option.

I've submitted a PR of what this change might look like with #69

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions