Time to integrate NewRelic so we may monitor whats going on in teh image processor. Not enough to just have logs, but we need metrics too! First up is figuring out how to initialize the library. Again NewRelic really wants you to use their sidecar process which is annoying when the software is intended to be run in multiple environments and configuration is determined at runtime.

Well, I found the NewRelice NodeJS project. The initialization structure is kind of interesting and enforces a single load semantic using the NodeJS loader cahce. Based on the API it looks like the configuration object may be attached to require('newrelic').agent.config. Let’s drill down there. Hmm, going back to the agent it looks like I need the license_key field set.

First use of Vault’s IAM profiles

So I went to go test it and found out I never finished the arc of placing the profile into Vault. I’m gald they’ve added the new IAM backend. I’ve tried to configure the backend to include but got * failed updating the unique ID of ARN "arn:aws:iam::<account>:role/service-role": &awserr.requestError{awsError:(*awserr.baseError)(0xc4215d4900), statusCode:403, requestID:"3d5cce1d-a238-11e7-b504-0d497685f38f"}. Appears as though Vault will need some more permission. You can cheat and add resolve_aws_unique_ids=false which worked for me in the short term. I’ll have to pull that before promoting these to production. Worse last words were never spoken :-).

To allow the Vault instances to verify a role, or at least as claimed by the documenation:

resource "aws_iam_role_policy" "vault-iam-authentication" {
    name = "vault-iam-authentication"
    role = "${aws_iam_role.vault-host-role.id}"
    policy = <<CFG
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
								"iam:GetUser"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
CFG
}

I’m hoping this works out of the box. Well, the IAM integration is untested, however I did discover a flaw in my IAM client code. I neglected to notice the Vault Node module uses a single function to construct the client and captures the config.requestOptions. I’ve removed it in hopes of it working. We’ll checked it out tomorrow.