Proxy Sigv4 Plugin
Published on June 8th, 2024Introduction
The Proxy Sigv4 plugin is essential for securely signing requests to AWS services using the Sigv4 signing process.
This guide explains how to set up and configure the Proxy Sigv4 plugin in your Backstage environment to ensure your requests to AWS services are properly authenticated.
Step 1: Get the roadie IAM details
Navigate to Administration > Settings > Plugins > Proxy (Sigv4)
and make a note of the Roadie backend role ARN and account ID. This is mentioned on the Role Arn field of the Proxy Sigv4 plugin settings page.
Step 2: Create a federated role in your account for Roadie
Follow the steps here to create the role.
The role needs to follow this naming convention arn:aws:iam::*:role/<your-tenant-name>-roadie-<your-role-name>
where
You’ll need to set a trusted relantionship in your new role so that Roadie can assume it. And then attach any permission policy that you need to the role.
Trusted relantionships in your new role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<roadie-account-id>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Step 3: Configure your Roadie instance to use the new role
On the AWS S3 settings page Administration > Settings > Plugins > Proxy (Sigv4)
in Roadie click Add Item
and enter the newly created
role ARN, the path
you want the proxy to be available on and the target
for your AWS resource.
example: /s3
will be available on https://<your-roadie-url>/api/proxy-sigv4/s3
After the role configuration is done, you can click the ‘Test Role’ button to check if integration configuration has succeeded.
Please ensure there is a trusted relationship with allows the created role to be assumed. For more information please visit: Accessing AWS Resources