Add AWS STS authentication support #1884
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
phoebusm
requested review from
alexowens90,
willdealtry and
poodlewars
as code owners
poodlewars
requested changes
Oct 8, 2024
| .def_property("ssl", &S3Override::ssl, &S3Override::set_ssl); | ||
| .def_property("ssl", &S3Override::ssl, &S3Override::set_ssl) | ||
| .def_property("aws_auth", | ||
| // pybind cannot smartly convert AWSAuthMethod defined in proto from C++ layer to Python layer |
| @@ -27,4 +29,6 @@ message Config { | |||
| string ca_cert_dir = 15; | |||
| // Whether to leave the prefix unchanged, or to translate the periods in it. | |||
| bool use_raw_prefix = 16; | |||
| arcticc.pb2.storage_pb2.AWSAuthMethod aws_auth = 17; //default to be 0, DISABLED | |||
There was a problem hiding this comment.
I'm very worried about adding anything to these protobufs after all the issues recently with the https flag.
There is actually no reason for this to go in the protobuf at all is there? We never intend to serialize it?
We will need extensive compatibility testing (similar to #1862 ) for this change either way.
| @@ -86,13 +88,17 @@ S3Storage::S3Storage(const LibraryPath &library_path, OpenMode mode, const Confi | |||
| root_folder_(object_store_utils::get_root_folder(library_path)), | |||
| bucket_name_(conf.bucket_name()), | |||
| region_(conf.region()) { | |||
|
|
|||
| @@ -22,11 +22,45 @@ Available options for S3: | |||
| | access | S3 access key | | |||
| | secret | S3 secret access key | | |||
| | path_prefix | Path within S3 bucket to use for data storage | | |||
| | aws_auth | If true, authentication to endpoint will be computed via AWS environment vars/config files. If no options are provided `aws_auth` will be assumed to be true. | | |||
| | aws_auth | AWS authentication method. If setting is `1` (or `true` for backward compatibility), authentication to endpoint will be computed via [AWS default credential provider chain](https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credproviders.html). If setting is `2`, AWS Security Token Service (STS) will be the authentication method used. If no options are provided AWS authentication will be assumed to be not used. More info is provided below | | |||
There was a problem hiding this comment.
Let's use human readable terms for this. default or true for the current behaviour, sts for this new behaviour?
| @@ -22,11 +22,45 @@ Available options for S3: | |||
| | access | S3 access key | | |||
| | secret | S3 secret access key | | |||
| | path_prefix | Path within S3 bucket to use for data storage | | |||
| | aws_auth | If true, authentication to endpoint will be computed via AWS environment vars/config files. If no options are provided `aws_auth` will be assumed to be true. | | |||
| | aws_auth | AWS authentication method. If setting is `1` (or `true` for backward compatibility), authentication to endpoint will be computed via [AWS default credential provider chain](https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credproviders.html). If setting is `2`, AWS Security Token Service (STS) will be the authentication method used. If no options are provided AWS authentication will be assumed to be not used. More info is provided below | | |||
There was a problem hiding this comment.
will be assumed to be not used replace with, will not be used and you should specify access and secret in the URI
| _PermissionCapableFactory: Type["MotoS3StorageFixtureFactory"] = None # To be set later | ||
|
|
||
| logging.getLogger("botocore").setLevel(logging.INFO) | ||
|
|
||
| S3_CONFIG_PATH = os.path.expanduser(os.path.join("~", ".aws", "config")) | ||
| S3_BACKUP_CONFIG_PATH = os.path.expanduser(os.path.join("~", ".aws", "bk_config")) |
There was a problem hiding this comment.
A temporary config file for sts credential and profile used in the test
|
|
||
|
|
||
| class Key: | ||
| def __init__(self, id: str, secret: str, user_name: str): |
There was a problem hiding this comment.
Make this kwargs only? Its invocations with three strings next to each other are hard to understand
| try: | ||
| iam_client.create_user(UserName=user_name) | ||
| out.sts_test_key = Key(None, None, user_name) | ||
| print("User created successfully.") |
There was a problem hiding this comment.
logging not print statements...
| RoleName=role_name, | ||
| PolicyArn=out.aws_policy_name | ||
| ) | ||
| print("Policyattached to role successfully.") |
| aws_access_key_id=factory.sts_test_key.id, | ||
| aws_secret_access_key=factory.sts_test_key.secret | ||
| ) | ||
| for _ in range(20): |
There was a problem hiding this comment.
20 retries seems excessive?
There was a problem hiding this comment.
Per my test, once it requires 13 seconds to get the resources available in S3
(_RBAC_ is not replaced yet) -Add STS auth method to codebase (But no test yet)
phoebusm
force-pushed
the
feature/s3_role_auth
branch
from
9758d14
to
f90fad9
Compare
phoebusm
force-pushed
the
feature/s3_role_auth
branch
from
f90fad9
to
5981d02
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Copy of #1814 so @poodlewars can review
Reference Issues/PRs
#1883
What does this implement or fix?
Add support of AWS STS authentication
Any other comments?
STS is an AWS iam service which allows user account to gain access of resources by assuming role.
First, the SDK will send assume role request to iam. If the authentication is successful, iam will reply with a temporary access key. With that access key, SDK will now have access to the resources.
The above logic and the refresh of temporary access key are handled by the SDK.
P.S. the validity check of the temporary access key is made at the beginning of each IO only,
Maintainers of S3 C++ SDK has refused to align this authentication method with other SDKs (e.g. boto3), which create 2 problems:
Detailed setup of the STS method can be referred to the content of this PR.
The test added in this PR requires real S3. Temporary user, policy and role are created for the test in the pipeline.
The final caveat is seems the config file is loaded at the import of ArcticDB and not being refreshed at the entire lifecycle of the python interpreter. This has required a hack in the testing framework to always create the config file at the beginning of any tests. As it's real S3 test specific, it won't create any pain for day-to-day local development and general PR tests.
Checklist
Checklist for code changes...