Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding region-specifc domain suffix for sts endpoints and adding new regions and domain suffixes #234

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
+91 −21
Open

Adding region-specifc domain suffix for sts endpoints and adding new regions and domain suffixes #234

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b6721ed
use dns suffix based on region
jdwtf Aug 7, 2024
769637c
adding dns name suffixes for new regions
jdwtf Aug 8, 2024
5addd50
use region-specific dns suffix for sts
jdwtf Aug 9, 2024
2911904
adding unit tests
jdwtf Sep 17, 2024
78ad005
Merge branch 'aws:master' into master
jdwtf Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions dist/efs-utils.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,9 @@ retry_nfs_mount_command_timeout_sec = 15
[mount.cn-north-1]
dns_name_suffix = amazonaws.com.cn


[mount.cn-northwest-1]
dns_name_suffix = amazonaws.com.cn


[mount.us-iso-east-1]
dns_name_suffix = c2s.ic.gov
stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Expand All @@ -74,6 +72,22 @@ stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
dns_name_suffix = sc2s.sgov.gov
stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[mount.us-isob-west-1]
dns_name_suffix = sc2s.sgov.gov
stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[mount.us-isof-east-1]
dns_name_suffix = csp.hci.ic.gov
stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[mount.us-isof-south-1]
dns_name_suffix = csp.hci.ic.gov
stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[mount.eu-isoe-west-1]
dns_name_suffix = cloud.adc-e.uk
stunnel_cafile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[mount-watchdog]
enabled = true
poll_interval_sec = 1
Expand Down
31 changes: 26 additions & 5 deletions src/mount_efs/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@

CREDENTIALS_KEYS = ["AccessKeyId", "SecretAccessKey", "Token"]
ECS_TASK_METADATA_API = "http://169.254.170.2"
STS_ENDPOINT_URL_FORMAT = "https://sts.{}.amazonaws.com/"
STS_ENDPOINT_URL_FORMAT = "https://sts.{}.{}/"
INSTANCE_METADATA_TOKEN_URL = "http://169.254.169.254/latest/api/token"
INSTANCE_METADATA_SERVICE_URL = (
"http://169.254.169.254/latest/dynamic/instance-identity/document/"
Expand Down Expand Up @@ -404,6 +404,22 @@ def _fatal_error(message):

_fatal_error(metadata_exception)

def get_target_domain_suffix(config):
def _fatal_error():
fatal_error(
'Error retrieving region. Please set the "dns_name_suffix" parameter '
"in the efs-utils configuration file."
)
region = get_target_region(config)
config_section = get_config_section(config, region)

try:
return config.get(config_section, "dns_name_suffix")
except NoOptionError:
pass

_fatal_error()


def get_target_az(config, options):
if "az" in options:
Expand Down Expand Up @@ -686,6 +702,7 @@ def get_aws_security_credentials(
config,
use_iam,
region,
dns_name_suffix,
awsprofile=None,
aws_creds_uri=None,
jwt_path=None,
Expand Down Expand Up @@ -730,6 +747,7 @@ def get_aws_security_credentials(
role_arn,
jwt_path,
region,
dns_name_suffix,
False,
)
if credentials and credentials_source:
Expand All @@ -744,6 +762,7 @@ def get_aws_security_credentials(
os.environ[WEB_IDENTITY_ROLE_ARN_ENV],
os.environ[WEB_IDENTITY_TOKEN_FILE_ENV],
region,
dns_name_suffix,
False,
)
if credentials and credentials_source:
Expand Down Expand Up @@ -817,7 +836,7 @@ def get_aws_security_credentials_from_ecs(config, aws_creds_uri, is_fatal=False)


def get_aws_security_credentials_from_webidentity(
config, role_arn, token_file, region, is_fatal=False
config, role_arn, token_file, region, dns_name_suffix, is_fatal=False
):
try:
with open(token_file, "r") as f:
Expand All @@ -829,7 +848,7 @@ def get_aws_security_credentials_from_webidentity(
else:
return None, None

STS_ENDPOINT_URL = STS_ENDPOINT_URL_FORMAT.format(region)
STS_ENDPOINT_URL = STS_ENDPOINT_URL_FORMAT.format(region,dns_name_suffix)
webidentity_url = (
STS_ENDPOINT_URL
+ "?"
Expand Down Expand Up @@ -1748,6 +1767,7 @@ def bootstrap_proxy(
security_credentials = None
client_info = get_client_info(config)
region = get_target_region(config)
dns_name_suffix = get_target_domain_suffix(config)

if tls_enabled(options):
cert_details = {}
Expand All @@ -1764,7 +1784,7 @@ def bootstrap_proxy(
kwargs = {"awsprofile": get_aws_profile(options, use_iam)}

security_credentials, credentials_source = get_aws_security_credentials(
config, use_iam, region, **kwargs
config, use_iam, region, dns_name_suffix, **kwargs
)

if credentials_source:
Expand Down Expand Up @@ -2663,7 +2683,8 @@ def _validate_replacement_field_count(format_str, expected_ct):
try:
az_id = get_az_id_from_instance_metadata(config, options)
region = get_target_region(config)
dns_name = "%s.%s.efs.%s.amazonaws.com" % (az_id, fs_id, region)
dns_name_suffix = get_target_domain_suffix(config)
dns_name = "%s.%s.efs.%s.%s" % (az_id, fs_id, region, dns_name_suffix)
except RuntimeError:
err_msg = "Cannot retrieve AZ-ID from metadata service. This is required for the crossaccount mount option."
fatal_error(err_msg)
Expand Down
29 changes: 27 additions & 2 deletions src/watchdog/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@
AP_ID_RE = re.compile("^fsap-[0-9a-f]{17}$")

ECS_TASK_METADATA_API = "http://169.254.170.2"
STS_ENDPOINT_URL_FORMAT = "https://sts.{}.amazonaws.com/"
STS_ENDPOINT_URL_FORMAT = "https://sts.{}.{}/"
INSTANCE_IAM_URL = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
INSTANCE_METADATA_TOKEN_URL = "http://169.254.169.254/latest/api/token"
SECURITY_CREDS_ECS_URI_HELP_URL = (
Expand Down Expand Up @@ -383,8 +383,10 @@ def get_aws_security_credentials_from_webidentity(config, role_arn, token_file,
except Exception as e:
logging.error("Error reading token file %s: %s", token_file, e)
return None

dns_name_suffix = get_target_domain_suffix(config, region)

STS_ENDPOINT_URL = STS_ENDPOINT_URL_FORMAT.format(region)
STS_ENDPOINT_URL = STS_ENDPOINT_URL_FORMAT.format(region, dns_name_suffix)
webidentity_url = (
STS_ENDPOINT_URL
+ "?"
Expand Down Expand Up @@ -497,6 +499,29 @@ def credentials_file_helper(file_path, awsprofile):

return credentials

def get_target_domain_suffix(config, region):
def _fatal_error():
fatal_error(
'Error retrieving DNS domain suffix for region. Please set the "dns_name_suffix" parameter '
"in the efs-utils configuration file."
)

config_section = get_config_section(config, region)

try:
return config.get(config_section, "dns_name_suffix")
except NoOptionError:
pass

_fatal_error()

def get_config_section(config, region):
region_specific_config_section = "%s.%s" % (MOUNT_CONFIG_SECTION, region)
if config.has_section(region_specific_config_section):
config_section = region_specific_config_section
else:
config_section = MOUNT_CONFIG_SECTION
return config_section

def is_instance_metadata_url(url):
return url.startswith("http://169.254.169.254")
Expand Down