AWS: Refresh vended credentials

Author: nastra

aws/src/main/java/org/apache/iceberg/aws/AwsClientProperties.java

@@ -20,6 +20,7 @@
 
 import java.io.Serializable;
 import java.util.Map;
+import org.apache.iceberg.aws.s3.VendedCredentialsProvider;
 import org.apache.iceberg.common.DynClasses;
 import org.apache.iceberg.common.DynMethods;
 import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
@@ -66,21 +67,39 @@ public class AwsClientProperties implements Serializable {
    */
   public static final String CLIENT_REGION = "client.region";
 
+  /**
+   * Configure the endpoint to be used to fetch and refresh vended credentials.
+   *
+   * <p>When set, the {@link VendedCredentialsProvider} will be used to fetch and refresh vended
+   * credentials.
+   */
+  public static final String REFRESH_CREDENTIALS_ENDPOINT = "client.refresh-credentials-endpoint";
+
+  /** Controls whether vended credentials should be refreshed or not. Defaults to true. */
+  public static final String REFRESH_CREDENTIALS_ENABLED = "client.refresh-credentials-enabled";
+
   private String clientRegion;
   private final String clientCredentialsProvider;
   private final Map<String, String> clientCredentialsProviderProperties;
+  private final String refreshCredentialsEndpoint;
+  private final boolean refreshCredentialsEnabled;
 
   public AwsClientProperties() {
     this.clientRegion = null;
     this.clientCredentialsProvider = null;
     this.clientCredentialsProviderProperties = null;
+    this.refreshCredentialsEndpoint = null;
+    this.refreshCredentialsEnabled = true;
   }
 
   public AwsClientProperties(Map<String, String> properties) {
     this.clientRegion = properties.get(CLIENT_REGION);
     this.clientCredentialsProvider = properties.get(CLIENT_CREDENTIALS_PROVIDER);
     this.clientCredentialsProviderProperties =
         PropertyUtil.propertiesWithPrefix(properties, CLIENT_CREDENTIAL_PROVIDER_PREFIX);
+    this.refreshCredentialsEndpoint = properties.get(REFRESH_CREDENTIALS_ENDPOINT);
+    this.refreshCredentialsEnabled =
+        PropertyUtil.propertyAsBoolean(properties, REFRESH_CREDENTIALS_ENABLED, true);
   }
 
   public String clientRegion() {
@@ -122,11 +141,12 @@ public <T extends AwsClientBuilder> void applyClientCredentialConfigurations(T b
   }
 
   /**
-   * Returns a credentials provider instance. If params were set, we return a new credentials
-   * instance. If none of the params are set, we try to dynamically load the provided credentials
-   * provider class. Upon loading the class, we try to invoke {@code create(Map<String, String>)}
-   * static method. If that fails, we fall back to {@code create()}. If credential provider class
-   * wasn't set, we fall back to default credentials provider.
+   * Returns a credentials provider instance. If {@link #refreshCredentialsEndpoint} is set, an
+   * instance of {@link VendedCredentialsProvider} is returned. If params were set, we return a new
+   * credentials instance. If none of the params are set, we try to dynamically load the provided
+   * credentials provider class. Upon loading the class, we try to invoke {@code create(Map<String,
+   * String>)} static method. If that fails, we fall back to {@code create()}. If credential
+   * provider class wasn't set, we fall back to default credentials provider.
    *
    * @param accessKeyId the AWS access key ID
    * @param secretAccessKey the AWS secret access key
@@ -136,6 +156,12 @@ public <T extends AwsClientBuilder> void applyClientCredentialConfigurations(T b
   @SuppressWarnings("checkstyle:HiddenField")
   public AwsCredentialsProvider credentialsProvider(
       String accessKeyId, String secretAccessKey, String sessionToken) {
+    if (refreshCredentialsEnabled && !Strings.isNullOrEmpty(refreshCredentialsEndpoint)) {
+      clientCredentialsProviderProperties.put(
+          VendedCredentialsProvider.URI, refreshCredentialsEndpoint);
+      return credentialsProvider(VendedCredentialsProvider.class.getName());
+    }
+
     if (!Strings.isNullOrEmpty(accessKeyId) && !Strings.isNullOrEmpty(secretAccessKey)) {
       if (Strings.isNullOrEmpty(sessionToken)) {
         return StaticCredentialsProvider.create(

aws/src/main/java/org/apache/iceberg/aws/s3/S3FileIOProperties.java

@@ -225,6 +225,13 @@ public class S3FileIOProperties implements Serializable {
    */
   public static final String SESSION_TOKEN = "s3.session-token";
 
+  /**
+   * Configure the expiration time in millis of the static session token used to access S3FileIO.
+   * This expiration time is currently only used in {@link VendedCredentialsProvider} for refreshing
+   * vended credentials.
+   */
+  public static final String SESSION_TOKEN_EXPIRES_AT_MS = "s3.session-token-expires-at-ms";
+
   /**
    * Enable to make S3FileIO, to make cross-region call to the region specified in the ARN of an
    * access point.

aws/src/main/java/org/apache/iceberg/aws/s3/VendedCredentialsProvider.java

@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iceberg.aws.s3;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ThreadLocalRandom;
+import java.util.stream.Collectors;
+import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.rest.ErrorHandlers;
+import org.apache.iceberg.rest.HTTPClient;
+import org.apache.iceberg.rest.RESTClient;
+import org.apache.iceberg.rest.auth.OAuth2Properties;
+import org.apache.iceberg.rest.auth.OAuth2Util;
+import org.apache.iceberg.rest.credentials.Credential;
+import org.apache.iceberg.rest.responses.LoadCredentialsResponse;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.utils.IoUtils;
+import software.amazon.awssdk.utils.SdkAutoCloseable;
+import software.amazon.awssdk.utils.cache.CachedSupplier;
+import software.amazon.awssdk.utils.cache.RefreshResult;
+
+public class VendedCredentialsProvider implements AwsCredentialsProvider, SdkAutoCloseable {
+  public static final String URI = "credentials.uri";
+  private volatile HTTPClient client;
+  private final Map<String, String> properties;
+  private final CachedSupplier<AwsCredentials> credentialCache;
+
+  private VendedCredentialsProvider(Map<String, String> properties) {
+    Preconditions.checkArgument(null != properties.get(URI), "Invalid URI: null");
+    this.properties = properties;
+    this.credentialCache =
+        CachedSupplier.builder(this::refreshCredential)
+            .cachedValueName(VendedCredentialsProvider.class.getName())
+            .build();
+  }
+
+  @Override
+  public AwsCredentials resolveCredentials() {
+    return credentialCache.get();
+  }
+
+  @Override
+  public void close() {
+    IoUtils.closeQuietly(client, null);
+    credentialCache.close();
+  }
+
+  public static VendedCredentialsProvider create(Map<String, String> properties) {
+    return new VendedCredentialsProvider(properties);
+  }
+
+  private RESTClient httpClient() {
+    if (null == client) {
+      synchronized (this) {
+        if (null == client) {
+          client = HTTPClient.builder(properties).uri(properties.get(URI)).build();
+        }
+      }
+    }
+
+    return client;
+  }
+
+  private RefreshResult<AwsCredentials> refreshCredential() {
+    LoadCredentialsResponse response = fetchCredentials();
+
+    List<Credential> s3Credentials =
+        response.credentials().stream()
+            .filter(c -> c.prefix().startsWith("s3"))
+            .collect(Collectors.toList());
+
+    Preconditions.checkState(!s3Credentials.isEmpty(), "Invalid S3 Credentials: empty");
+
+    Optional<Credential> credentialWithPrefix =
+        s3Credentials.stream().max(Comparator.comparingInt(c -> c.prefix().length()));
+
+    Credential s3Credential = credentialWithPrefix.orElseGet(() -> s3Credentials.get(0));
+    checkCredential(s3Credential, S3FileIOProperties.ACCESS_KEY_ID);
+    checkCredential(s3Credential, S3FileIOProperties.SECRET_ACCESS_KEY);
+    checkCredential(s3Credential, S3FileIOProperties.SESSION_TOKEN);
+    checkCredential(s3Credential, S3FileIOProperties.SESSION_TOKEN_EXPIRES_AT_MS);
+
+    String accessKeyId = s3Credential.config().get(S3FileIOProperties.ACCESS_KEY_ID);
+    String secretAccessKey = s3Credential.config().get(S3FileIOProperties.SECRET_ACCESS_KEY);
+    String sessionToken = s3Credential.config().get(S3FileIOProperties.SESSION_TOKEN);
+    String tokenExpiresAtMillis =
+        s3Credential.config().get(S3FileIOProperties.SESSION_TOKEN_EXPIRES_AT_MS);
+    Instant expiresAt = Instant.ofEpochMilli(Long.parseLong(tokenExpiresAtMillis));
+    int jitter = ThreadLocalRandom.current().nextInt(0, 100);
+    Instant prefetchAt = expiresAt.minus(5, ChronoUnit.MINUTES).plusSeconds(jitter);
+
+    return RefreshResult.builder(
+            (AwsCredentials)
+                AwsSessionCredentials.builder()
+                    .accessKeyId(accessKeyId)
+                    .secretAccessKey(secretAccessKey)
+                    .sessionToken(sessionToken)
+                    .expirationTime(expiresAt)
+                    .build())
+        .staleTime(expiresAt)
+        .prefetchTime(prefetchAt)
+        .build();
+  }
+
+  private void checkCredential(Credential credential, String property) {
+    Preconditions.checkState(
+        credential.config().containsKey(property), "Invalid S3 Credentials: %s not set", property);
+  }
+
+  private LoadCredentialsResponse fetchCredentials() {
+    return httpClient()
+        .get(
+            properties.get(URI),
+            null,
+            LoadCredentialsResponse.class,
+            OAuth2Util.authHeaders(properties.get(OAuth2Properties.TOKEN)),
+            ErrorHandlers.defaultErrorHandler());
+  }
+}

aws/src/test/java/org/apache/iceberg/aws/AwsClientPropertiesTest.java

@@ -21,6 +21,8 @@
 import static org.assertj.core.api.Assertions.assertThat;
 
 import java.util.Map;
+import org.apache.iceberg.aws.s3.VendedCredentialsProvider;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.apache.iceberg.relocated.com.google.common.collect.Maps;
 import org.junit.jupiter.api.Test;
 import org.mockito.ArgumentCaptor;
@@ -29,6 +31,7 @@
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
 import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.s3.S3ClientBuilder;
 
@@ -111,4 +114,30 @@ public void testSessionCredentialsConfiguration() {
         .as("The secret access key should be the same as the one set by tag SECRET_ACCESS_KEY")
         .isEqualTo("secret");
   }
+
+  @Test
+  public void refreshCredentialsEndpoint() {
+    AwsClientProperties awsClientProperties =
+        new AwsClientProperties(
+            ImmutableMap.of(
+                AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT,
+                "http://localhost:1234/v1/credentials"));
+
+    assertThat(awsClientProperties.credentialsProvider("key", "secret", "token"))
+        .isInstanceOf(VendedCredentialsProvider.class);
+  }
+
+  @Test
+  public void refreshCredentialsEndpointSetButRefreshDisabled() {
+    AwsClientProperties awsClientProperties =
+        new AwsClientProperties(
+            ImmutableMap.of(
+                AwsClientProperties.REFRESH_CREDENTIALS_ENABLED,
+                "false",
+                AwsClientProperties.REFRESH_CREDENTIALS_ENDPOINT,
+                "http://localhost:1234/v1/credentials"));
+
+    assertThat(awsClientProperties.credentialsProvider("key", "secret", "token"))
+        .isInstanceOf(StaticCredentialsProvider.class);
+  }
 }