Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Integration][AWS] - Fix ExpiredTokenException #1041

Merged
merged 21 commits into from
Sep 26, 2024
Merged

[Integration][AWS] - Fix ExpiredTokenException #1041

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
d55fead
Added support for parralel fetching of account resources
mk-armah Sep 18, 2024
35a3672
reassume role to refresh session credentials when its 80% close to ex…
mk-armah Sep 20, 2024
a0033f1
updated changelog
mk-armah Sep 20, 2024
3478ab3
updated dependencies
mk-armah Sep 20, 2024
cf2920b
addressed comments
mk-armah Sep 24, 2024
4661b48
Merge branch 'main' into port-10319/improvement-aws
mk-armah Sep 24, 2024
858a41f
updated changelog
mk-armah Sep 24, 2024
075ca94
updated changelog
mk-armah Sep 24, 2024
1d5c94c
fix typing issues
mk-armah Sep 24, 2024
e57aa07
specified target version for ruff in pyproject.toml
mk-armah Sep 24, 2024
203b5d2
passing target version as string
mk-armah Sep 24, 2024
6c27fc3
added tests
mk-armah Sep 25, 2024
047f552
added test for aws util
mk-armah Sep 25, 2024
c83e655
refactored resync_all
mk-armah Sep 25, 2024
a15b7d6
Merge branch 'main' into port-10319/improvement-aws
mk-armah Sep 26, 2024
8e8d34d
rename AssumeRoleSession to OceanOrgAssumeRoleSession
mk-armah Sep 26, 2024
c754570
Merge branch 'port-10319/improvement-aws' of https://github.com/port-…
mk-armah Sep 26, 2024
eeca52e
refactored get_sessions
mk-armah Sep 26, 2024
d180b07
refactored session factory
mk-armah Sep 26, 2024
9b57ce6
added more tests
mk-armah Sep 26, 2024
d0a1237
removed comments
mk-armah Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions integrations/aws/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

<!-- towncrier release notes start -->

## 0.2.43 (2024-09-18)


### Improvements

- Improved support for parralel fetching of aws account resources
- Fixed ExpiredTokenException by replacing event-based caching with a time-dependent caching mechanism. The new approach reassumes the role and refreshes session credentials when 80% of the session duration has been used, ensuring credentials are refreshed before expiry.


## 0.2.42 (2024-09-24)


### Bug Fixes

- Fixes an issue where `is_access_denied_exception` could raise an `AttributeError` if `e.response` is `None`.


## 0.2.41 (2024-09-22)


Expand Down
10 changes: 8 additions & 2 deletions integrations/aws/aws/session_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ class AccountNotFoundError(OceanAbortException):
pass


ASSUME_ROLE_DURATION_SECONDS = 3600 # 1 hour


class SessionManager:
def __init__(self) -> None:
"""
Expand Down Expand Up @@ -93,7 +96,9 @@ async def _get_organization_session(self) -> aioboto3.Session | None:
async with application_session.client("sts") as sts_client:
try:
organizations_client = await sts_client.assume_role(
RoleArn=organization_role_arn, RoleSessionName="AssumeRoleSession"
RoleArn=organization_role_arn,
RoleSessionName="AssumeRoleSession",
Copy link
Member

@matan84 matan84 Sep 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
RoleSessionName="AssumeRoleSession",
RoleSessionName="OceanOrgAssumeRoleSession",

DurationSeconds=ASSUME_ROLE_DURATION_SECONDS,
)

credentials = organizations_client["Credentials"]
Expand Down Expand Up @@ -150,7 +155,8 @@ async def _assume_role_and_update_credentials(
try:
account_role = await sts_client.assume_role(
RoleArn=f'arn:aws:iam::{account["Id"]}:role/{self._get_account_read_role_name()}',
RoleSessionName="AssumeRoleSession",
RoleSessionName="OceanMemberAssumeRoleSession",
DurationSeconds=ASSUME_ROLE_DURATION_SECONDS,
)
raw_credentials = account_role["Credentials"]
credentials = AwsCredentials(
Expand Down
100 changes: 74 additions & 26 deletions integrations/aws/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@
is_access_denied_exception,
is_server_error,
)
from port_ocean.utils.async_iterators import stream_async_iterators_tasks
import asyncio

MAX_CONCURRENT_TASKS = 50
matan84 marked this conversation as resolved.
Show resolved Hide resolved


async def _handle_global_resource_resync(
Expand Down Expand Up @@ -69,19 +73,37 @@ async def _handle_global_resource_resync(
async def resync_all(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
if kind in iter(ResourceKindsWithSpecialHandling):
return

await update_available_access_credentials()
is_global = is_global_resource(kind)
async for credentials in get_accounts():
if is_global:
async for batch in _handle_global_resource_resync(kind, credentials):
yield batch
else:
async for session in credentials.create_session_for_each_region():
try:
async for batch in resync_cloudcontrol(kind, session):
yield batch
except Exception:
continue
semaphore = asyncio.BoundedSemaphore(MAX_CONCURRENT_TASKS)
matan84 marked this conversation as resolved.
Show resolved Hide resolved

async def handle_account(
matan84 marked this conversation as resolved.
Show resolved Hide resolved
credentials: AwsCredentials,
) -> ASYNC_GENERATOR_RESYNC_TYPE:
"""Function to handle fetching resources for a single account."""
async with semaphore:
errors, regions = [], []
if is_global:
async for batch in _handle_global_resource_resync(kind, credentials):
yield batch
else:
async for session in credentials.create_session_for_each_region():
try:
async for batch in resync_cloudcontrol(kind, session):
yield batch
except Exception as exc:
regions.append(session.region_name)
errors.append(exc)
continue
if errors:
message = f"Failed to fetch {kind} for these regions {regions} with {len(errors)} errors in account {credentials.account_id}"
raise ExceptionGroup(message, errors)

tasks = [handle_account(credentials) async for credentials in get_accounts()]
if tasks:
async for batch in stream_async_iterators_tasks(*tasks):
matan84 marked this conversation as resolved.
Show resolved Hide resolved
yield batch


@ocean.on_resync(kind=ResourceKindsWithSpecialHandling.ACCOUNT)
Expand All @@ -94,76 +116,102 @@ async def resync_account(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
@ocean.on_resync(kind=ResourceKindsWithSpecialHandling.ELASTICACHE_CLUSTER)
async def resync_elasticache(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
await update_available_access_credentials()
async for session in get_sessions():
async for batch in resync_custom_kind(

tasks = [
resync_custom_kind(
kind,
session,
"elasticache",
"describe_cache_clusters",
"CacheClusters",
"Marker",
):
)
async for session in get_sessions()
]
if tasks:
async for batch in stream_async_iterators_tasks(*tasks):
matan84 marked this conversation as resolved.
Show resolved Hide resolved
yield batch


@ocean.on_resync(kind=ResourceKindsWithSpecialHandling.ELBV2_LOAD_BALANCER)
async def resync_elv2_load_balancer(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
await update_available_access_credentials()
async for session in get_sessions():
async for batch in resync_custom_kind(

tasks = [
resync_custom_kind(
kind,
session,
"elbv2",
"describe_load_balancers",
"LoadBalancers",
"Marker",
):
)
async for session in get_sessions()
]

if tasks:
async for batch in stream_async_iterators_tasks(*tasks):
yield batch


@ocean.on_resync(kind=ResourceKindsWithSpecialHandling.ACM_CERTIFICATE)
async def resync_acm(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
await update_available_access_credentials()
async for session in get_sessions():
async for batch in resync_custom_kind(

tasks = [
resync_custom_kind(
kind,
session,
"acm",
"list_certificates",
"CertificateSummaryList",
"NextToken",
):
)
async for session in get_sessions()
]

if tasks:
async for batch in stream_async_iterators_tasks(*tasks):
yield batch


@ocean.on_resync(kind=ResourceKindsWithSpecialHandling.AMI_IMAGE)
async def resync_ami(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
await update_available_access_credentials()
async for session in get_sessions():
async for batch in resync_custom_kind(
tasks = [
resync_custom_kind(
kind,
session,
"ec2",
"describe_images",
"Images",
"NextToken",
{"Owners": ["self"]},
):
)
async for session in get_sessions()
]
if tasks:
async for batch in stream_async_iterators_tasks(*tasks):
yield batch


@ocean.on_resync(kind=ResourceKindsWithSpecialHandling.CLOUDFORMATION_STACK)
async def resync_cloudformation(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
await update_available_access_credentials()
async for session in get_sessions():
async for batch in resync_custom_kind(
tasks = [
resync_custom_kind(
kind,
session,
"cloudformation",
"describe_stacks",
"Stacks",
"NextToken",
):
)
async for session in get_sessions()
]

if tasks:
async for batch in stream_async_iterators_tasks(*tasks):
yield batch


Expand Down
Loading
Loading