Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(iam auth): allow iam roles anywhere auth profile #3591

Merged
merged 43 commits into from
Nov 14, 2024
Merged

feat(iam auth): allow iam roles anywhere auth profile #3591

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
5bd981c
feat(iam auth): allow iam roles anywhere auth profile
sicoyle Nov 4, 2024
45db3a1
fix(build): update more aws components
sicoyle Nov 4, 2024
58bbeaa
fix(metadata): add endpoint field to options
sicoyle Nov 4, 2024
e9493ae
style: update descriptions on new fields
sicoyle Nov 4, 2024
bff9b16
fix: acct for nil check
sicoyle Nov 4, 2024
fd30089
style: make linter happy
sicoyle Nov 4, 2024
f712b69
style: more linter fixes
sicoyle Nov 4, 2024
78cf670
style: final linter tweaks
sicoyle Nov 4, 2024
8aec6a5
fix(session): apply auto refresh to s3
sicoyle Nov 6, 2024
3a5c8bf
style: mv x509 auth around
sicoyle Nov 6, 2024
43ba1e3
refactor: overhaul + interfaces for cleanliness + tests + update comps
sicoyle Nov 11, 2024
423e993
fix: address initial feedback and fix tests
sicoyle Nov 12, 2024
b228e39
test: add tests and make things more testable
sicoyle Nov 12, 2024
b69e83c
Merge branch 'main' into feat-iam-rolesanywhere-auth
sicoyle Nov 12, 2024
4b1ad20
style: make linter happy
sicoyle Nov 12, 2024
ce94dfe
style: clean up logs
sicoyle Nov 12, 2024
30de3db
style: more linter things and adjust for mocking client
sicoyle Nov 12, 2024
f8e3567
fix: make 1 hr default timeout
sicoyle Nov 12, 2024
3e6a471
fix: update more tests
sicoyle Nov 12, 2024
bb22450
fix: address final feedback
sicoyle Nov 12, 2024
5a17558
fix(conformance): try to inject mocked creds for session
sicoyle Nov 12, 2024
72fe803
style: make linter happy
sicoyle Nov 13, 2024
d4f23ba
fix: go back on conformance test changes
sicoyle Nov 13, 2024
67ed5ec
fix: try this for conformance
sicoyle Nov 13, 2024
f80c594
fix: try another tweak for secretmanager
sicoyle Nov 13, 2024
29ae9f0
fix(test): fix dynamo unit test
sicoyle Nov 13, 2024
a9ce95e
fix(snssqs): see if this fixes snssqs conformance
sicoyle Nov 13, 2024
4f8c154
fix: this is what i need for conformance :)
sicoyle Nov 13, 2024
7749826
fix: update cfgs for aws
sicoyle Nov 13, 2024
690b3ec
fix(test): update for unit test
sicoyle Nov 13, 2024
a42e742
fix(cfg): leverage opts in cfgs for aws
sicoyle Nov 13, 2024
b5e1d97
fix: minor tweaks
sicoyle Nov 13, 2024
9e9d086
Merge branch 'main' into feat-iam-rolesanywhere-auth
sicoyle Nov 13, 2024
923ee94
style: final tweaks
sicoyle Nov 13, 2024
d8af3c0
Merge branch 'feat-iam-rolesanywhere-auth' of github.com:sicoyle/comp…
sicoyle Nov 13, 2024
37021c5
fix: update default to be one hour with timeout
sicoyle Nov 13, 2024
b081bfe
style: session duration can default to 1h so not required
sicoyle Nov 13, 2024
6263e19
Update builtin-authentication-profiles.yaml
sicoyle Nov 13, 2024
e6f7699
fix: address final feedback
sicoyle Nov 14, 2024
3d4da39
fix: address final feedback
sicoyle Nov 14, 2024
a300a8c
style: make linter happy
sicoyle Nov 14, 2024
0b80a39
fix: allow for mocked clients without exported field
sicoyle Nov 14, 2024
cde5a10
fix: add one last closer
sicoyle Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .build-tools/builtin-authentication-profiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,24 @@ aws:
type: string
- title: "AWS: Credentials from Environment Variables"
description: Use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the environment
- title: "AWS: IAM Roles Anywhere"
description: Use x.509 certificates to establish trust between AWS and a trusted Certificate Authority using AWS IAM Roles Anywhere.
sicoyle marked this conversation as resolved.
Show resolved Hide resolved
metadata:
- name: trustAnchorArn
description: |
ARN of the AWS Trust Anchor in the AWS account granting trust to a Certificate Authority.
sicoyle marked this conversation as resolved.
Show resolved Hide resolved
example: arn:aws:rolesanywhere:us-west-1:012345678910:trust-anchor/01234568-0123-0123-0123-012345678901
required: true
- name: trustProfileArn
description: |
ARN of the AWS IAM Profile in the trusting AWS account.
example: arn:aws:rolesanywhere:us-west-1:012345678910:profile/01234568-0123-0123-0123-012345678901
required: true
- name: assumeRoleArn
description: |
ARN of the AWS IAM role to assume in the trusting AWS account.
example: arn:aws:iam:012345678910:role/exampleIAMRoleName
required: true

azuread:
- title: "Azure AD: Managed identity"
Expand Down
28 changes: 15 additions & 13 deletions bindings/aws/dynamodb/dynamodb.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,18 +51,30 @@ func NewDynamoDB(logger logger.Logger) bindings.OutputBinding {
}

// Init performs connection parsing for DynamoDB.
func (d *DynamoDB) Init(_ context.Context, metadata bindings.Metadata) error {
func (d *DynamoDB) Init(ctx context.Context, metadata bindings.Metadata) error {
meta, err := d.getDynamoDBMetadata(metadata)
if err != nil {
return err
}

client, err := d.getClient(meta)
aws, err := awsAuth.New(awsAuth.Options{
Logger: d.logger,
Properties: metadata.Properties,
Region: meta.Region,
AccessKey: meta.AccessKey,
SecretKey: meta.SecretKey,
SessionToken: meta.SessionToken,
})
if err != nil {
return err
}

sess, err := aws.GetClient(ctx)
if err != nil {
return err
}

d.client = client
d.client = dynamodb.New(sess)
d.table = meta.Table

return nil
Expand Down Expand Up @@ -105,16 +117,6 @@ func (d *DynamoDB) getDynamoDBMetadata(spec bindings.Metadata) (*dynamoDBMetadat
return &meta, nil
}

func (d *DynamoDB) getClient(metadata *dynamoDBMetadata) (*dynamodb.DynamoDB, error) {
sess, err := awsAuth.GetClient(metadata.AccessKey, metadata.SecretKey, metadata.SessionToken, metadata.Region, metadata.Endpoint)
if err != nil {
return nil, err
}
c := dynamodb.New(sess)

return c, nil
}

// GetComponentMetadata returns the metadata of the component.
func (d *DynamoDB) GetComponentMetadata() (metadataInfo metadata.MetadataMap) {
metadataStruct := dynamoDBMetadata{}
Expand Down
27 changes: 15 additions & 12 deletions bindings/aws/s3/s3.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ import (

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"

"github.com/aws/aws-sdk-go/service/s3/s3manager"
Expand Down Expand Up @@ -110,12 +109,25 @@ func NewAWSS3(logger logger.Logger) bindings.OutputBinding {
}

// Init does metadata parsing and connection creation.
func (s *AWSS3) Init(_ context.Context, metadata bindings.Metadata) error {
func (s *AWSS3) Init(ctx context.Context, metadata bindings.Metadata) error {
m, err := s.parseMetadata(metadata)
if err != nil {
return err
}
session, err := s.getSession(m)

awsA, err := awsAuth.New(awsAuth.Options{
Logger: s.logger,
Properties: metadata.Properties,
Region: m.Region,
AccessKey: m.AccessKey,
SecretKey: m.SecretKey,
SessionToken: m.SessionToken,
})
if err != nil {
return err
}

session, err := awsA.GetClient(ctx)
if err != nil {
return err
}
Expand Down Expand Up @@ -415,15 +427,6 @@ func (s *AWSS3) parseMetadata(md bindings.Metadata) (*s3Metadata, error) {
return &m, nil
}

func (s *AWSS3) getSession(metadata *s3Metadata) (*session.Session, error) {
sess, err := awsAuth.GetClient(metadata.AccessKey, metadata.SecretKey, metadata.SessionToken, metadata.Region, metadata.Endpoint)
if err != nil {
return nil, err
}

return sess, nil
}

// Helper to merge config and request metadata.
func (metadata s3Metadata) mergeWithRequestMetadata(req *bindings.InvokeRequest) (s3Metadata, error) {
merged := metadata
Expand Down
31 changes: 18 additions & 13 deletions bindings/aws/sns/sns.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,31 @@ func NewAWSSNS(logger logger.Logger) bindings.OutputBinding {
}

// Init does metadata parsing.
func (a *AWSSNS) Init(_ context.Context, metadata bindings.Metadata) error {
func (a *AWSSNS) Init(ctx context.Context, metadata bindings.Metadata) error {
m, err := a.parseMetadata(metadata)
if err != nil {
return err
}
client, err := a.getClient(m)

aws, err := awsAuth.New(awsAuth.Options{
Logger: a.logger,
Properties: metadata.Properties,
Region: m.Region,
AccessKey: m.AccessKey,
SecretKey: m.SecretKey,
SessionToken: m.SessionToken,
})
if err != nil {
return err
}
a.client = client

sess, err := aws.GetClient(ctx)
if err != nil {
return err
}

a.client = sns.New(sess)

a.topicARN = m.TopicArn

return nil
Expand All @@ -83,16 +98,6 @@ func (a *AWSSNS) parseMetadata(meta bindings.Metadata) (*snsMetadata, error) {
return &m, nil
}

func (a *AWSSNS) getClient(metadata *snsMetadata) (*sns.SNS, error) {
sess, err := awsAuth.GetClient(metadata.AccessKey, metadata.SecretKey, metadata.SessionToken, metadata.Region, metadata.Endpoint)
if err != nil {
return nil, err
}
c := sns.New(sess)

return c, nil
}

func (a *AWSSNS) Operations() []bindings.OperationKind {
return []bindings.OperationKind{bindings.CreateOperation}
}
Expand Down
Loading
Loading