Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow get_aws_credentials to assume_role_with_web_identity #137

Merged
merged 4 commits into from
Apr 19, 2024
+25 −3
Merged

Allow get_aws_credentials to assume_role_with_web_identity #137

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
383dc32
Allow get_aws_credentials to use default boto3 session
Qmando Jan 30, 2024
d2fe09a
Allow setting duration for web identity
Qmando Jan 30, 2024
0219e2f
Update warning to exception for missing web identity token
Qmando Feb 1, 2024
4c27ce2
Update error message for --assume-aws-role to include FileNotFoundError
Qmando Feb 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions service_configuration_lib/spark_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ def get_aws_credentials(
assume_aws_role_arn: Optional[str] = None,
session_duration: int = 3600,
assume_role_user_creds_file: str = '/nail/etc/spark_role_assumer/spark_role_assumer.yaml',
use_web_identity=False,
) -> Tuple[Optional[str], Optional[str], Optional[str]]:
"""load aws creds using different method/file"""
if no_aws_credentials:
Expand All @@ -132,6 +133,27 @@ def get_aws_credentials(
log.warning(
'Tried to assume role with web identity but something went wrong ',
)
elif use_web_identity:
token_path = os.environ.get('AWS_WEB_IDENTITY_TOKEN_FILE')
role_arn = os.environ.get('AWS_ROLE_ARN')
if not token_path or not role_arn:
log.warning('No web identity token file found.')
return None, None, None
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This case seems like it should raise instead of returning the (None, None, None) tuple and logging a warning. If you want it to use web_identity and it doesn't find the token or the role ARN, it will likely make it more difficult to diagnose why permission errors are happening (e.g. whomever is calling this may end up just defaulting to whatever standard resolution like the instance profile

with open(token_path) as token_file:
token = token_file.read()
sts_client = boto3.client('sts')
timestamp = int(time.time())
session = sts_client.assume_role_with_web_identity(
RoleArn=role_arn,
RoleSessionName=f'{service}-session-{timestamp}',
WebIdentityToken=token,
DurationSeconds=session_duration,
)
return (
session['Credentials']['AccessKeyId'],
session['Credentials']['SecretAccessKey'],
session['Credentials']['SessionToken'],
)
88manpreet marked this conversation as resolved.
Show resolved Hide resolved
elif service != DEFAULT_SPARK_SERVICE:
service_credentials_path = os.path.join(AWS_CREDENTIALS_DIR, f'{service}.yaml')
if os.path.exists(service_credentials_path):
Expand Down
Loading