From 4f1d87239eabd4e4df9acbba85049cf5c2df0ca0 Mon Sep 17 00:00:00 2001 From: Kartik Moolya <56674362+kartik-moolya@users.noreply.github.com> Date: Thu, 2 Jul 2020 22:31:01 +0530 Subject: [PATCH] allow using AWS role or EC2 Instance role for Elasticsearch Auth (#306) ##### ISSUE TYPE - Feature Pull Request ##### SUMMARY Allow using AWS role or EC2 Instance role to generate session tokens for AWS credentials. --- comm_config.yaml | 9 +++++---- pkg/config/config.go | 1 + pkg/notify/elasticsearch.go | 13 ++++++++++++- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/comm_config.yaml b/comm_config.yaml index c287c46d7..822b25a39 100644 --- a/comm_config.yaml +++ b/comm_config.yaml @@ -20,10 +20,11 @@ communications: elasticsearch: enabled: false awsSigning: - enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html - awsRegion: "us-east-1" # AWS region where Elasticsearch is deployed - server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 - username: 'ELASTICSEARCH_USERNAME' # Basic Auth + enabled: false # enable awsSigning using IAM for Elastisearch hosted on AWS, if true make sure AWS environment variables are set. Refer https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html + awsRegion: 'us-east-1' # AWS region where Elasticsearch is deployed + roleArn: '' # AWS IAM Role arn to assume for credentials, use this only if you dont want to use the EC2 instance role or not running on AWS instance + server: 'ELASTICSEARCH_ADDRESS' # e.g https://example.com:9243 + username: 'ELASTICSEARCH_USERNAME' # Basic Auth password: 'ELASTICSEARCH_PASSWORD' # ELS index settings index: diff --git a/pkg/config/config.go b/pkg/config/config.go index 64e41bd7d..97ad320b3 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -128,6 +128,7 @@ type ElasticSearch struct { type AWSSigning struct { Enabled bool AWSRegion string `yaml:"awsRegion"` + RoleArn string `yaml:"roleArn"` } // Index settings for ELS diff --git a/pkg/notify/elasticsearch.go b/pkg/notify/elasticsearch.go index 1d39ae9c9..e3e9bb65b 100644 --- a/pkg/notify/elasticsearch.go +++ b/pkg/notify/elasticsearch.go @@ -25,6 +25,9 @@ import ( "time" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/signer/v4" "github.com/infracloudio/botkube/pkg/config" "github.com/infracloudio/botkube/pkg/events" @@ -55,11 +58,19 @@ type ElasticSearch struct { func NewElasticSearch(c *config.Config) (Notifier, error) { var elsClient *elastic.Client var err error + var creds *credentials.Credentials if c.Communications.ElasticSearch.AWSSigning.Enabled { // Get credentials from environment variables and create the AWS Signature Version 4 signer - creds := credentials.NewEnvCredentials() + sess := session.Must(session.NewSession()) + if c.Communications.ElasticSearch.AWSSigning.RoleArn != "" { + creds = stscreds.NewCredentials(sess, c.Communications.ElasticSearch.AWSSigning.RoleArn) + } else { + creds = ec2rolecreds.NewCredentials(sess) + } + signer := v4.NewSigner(creds) awsClient, err := aws_signing_client.New(signer, nil, awsService, c.Communications.ElasticSearch.AWSSigning.AWSRegion) + if err != nil { return nil, err }