From a9f87453773db469ffe9ecb061f0872b1fa5c33d Mon Sep 17 00:00:00 2001 From: Saravanan Balasubramanian Date: Mon, 2 Mar 2020 11:05:32 -0800 Subject: [PATCH 1/2] Implemented Assume RoleARN for SQS and SNS --- gateways/server/aws-sns/start.go | 2 +- gateways/server/aws-sqs/start.go | 4 +++- gateways/server/common/aws/aws.go | 14 +++++++++++++- pkg/apis/eventsources/v1alpha1/types.go | 7 +++++++ sensors/triggers/aws-lambda/aws-lambda.go | 2 +- 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/gateways/server/aws-sns/start.go b/gateways/server/aws-sns/start.go index 440ef1653a..3c36728c70 100644 --- a/gateways/server/aws-sns/start.go +++ b/gateways/server/aws-sns/start.go @@ -145,7 +145,7 @@ func (router *Router) PostActivate() error { snsEventSource := router.eventSource - awsSession, err := commonaws.CreateAWSSession(router.k8sClient, snsEventSource.Namespace, snsEventSource.Region, snsEventSource.AccessKey, snsEventSource.SecretKey) + awsSession, err := commonaws.CreateAWSSession(router.k8sClient, snsEventSource.Namespace, snsEventSource.Region, snsEventSource.RoleARN, snsEventSource.AccessKey, snsEventSource.SecretKey) if err != nil { return err } diff --git a/gateways/server/aws-sqs/start.go b/gateways/server/aws-sqs/start.go index 9819bdec50..7c57d6f988 100644 --- a/gateways/server/aws-sqs/start.go +++ b/gateways/server/aws-sqs/start.go @@ -73,7 +73,9 @@ func (listener *EventListener) listenEvents(eventSource *gateways.EventSource, c logger.Infoln("setting up aws session...") var awsSession *session.Session - awsSession, err := commonaws.CreateAWSSession(listener.K8sClient, sqsEventSource.Namespace, sqsEventSource.Region, sqsEventSource.AccessKey, sqsEventSource.SecretKey) + + awsSession, err := commonaws.CreateAWSSession(listener.K8sClient, sqsEventSource.Namespace, sqsEventSource.Region, sqsEventSource.RoleARN, sqsEventSource.AccessKey, sqsEventSource.SecretKey) + if err != nil { return errors.Wrapf(err, "failed to create aws session for %s", eventSource.Name) } diff --git a/gateways/server/common/aws/aws.go b/gateways/server/common/aws/aws.go index aab8acd08f..87ba57c7ce 100644 --- a/gateways/server/common/aws/aws.go +++ b/gateways/server/common/aws/aws.go @@ -20,6 +20,7 @@ import ( "github.com/argoproj/argo-events/store" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" corev1 "k8s.io/api/core/v1" "k8s.io/client-go/kubernetes" @@ -55,8 +56,19 @@ func GetAWSSessionWithoutCreds(region string) (*session.Session, error) { }) } +func GetAWSAssumeRoleCreds(roleARN, region string) (*session.Session, error) { + sess := session.Must(session.NewSession()) + creds := stscreds.NewCredentials(sess, roleARN) + return GetAWSSession(creds, region) +} + // CreateAWSSession based on credentials settings return a aws session -func CreateAWSSession(client kubernetes.Interface, namespace, region string, accessKey *corev1.SecretKeySelector, secretKey *corev1.SecretKeySelector) (*session.Session, error) { +func CreateAWSSession(client kubernetes.Interface, namespace, region string, roleARN string, accessKey *corev1.SecretKeySelector, secretKey *corev1.SecretKeySelector) (*session.Session, error) { + + if roleARN != "" { + return GetAWSAssumeRoleCreds(roleARN, region) + } + if accessKey == nil && secretKey == nil { return GetAWSSessionWithoutCreds(region) } diff --git a/pkg/apis/eventsources/v1alpha1/types.go b/pkg/apis/eventsources/v1alpha1/types.go index 5f92876c2c..5615d67f9c 100644 --- a/pkg/apis/eventsources/v1alpha1/types.go +++ b/pkg/apis/eventsources/v1alpha1/types.go @@ -227,6 +227,10 @@ type SNSEventSource struct { Namespace string `json:"namespace,omitempty" protobuf:"bytes,5,opt,name=namespace"` // Region is AWS region Region string `json:"region" protobuf:"bytes,6,name=region"` + // RoleARN is the Amazon Resource Name (ARN) of the role to assume. + // +optional + RoleARN string `json:"roleARN,omitempty" protobuf:"bytes,6,opt,name=roleARN"` + } // SQSEventSource refers to event-source for AWS SQS related events @@ -245,6 +249,9 @@ type SQSEventSource struct { // Namespace refers to Kubernetes namespace to read access related secret from. // +optional Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"` + // RoleARN is the Amazon Resource Name (ARN) of the role to assume. + // +optional + RoleARN string `json:"roleARN,omitempty" protobuf:"bytes,6,opt,name=roleARN"` } // PubSubEventSource refers to event-source for GCP PubSub related events. diff --git a/sensors/triggers/aws-lambda/aws-lambda.go b/sensors/triggers/aws-lambda/aws-lambda.go index 1b41689ef5..f249465873 100644 --- a/sensors/triggers/aws-lambda/aws-lambda.go +++ b/sensors/triggers/aws-lambda/aws-lambda.go @@ -93,7 +93,7 @@ func (t *AWSLambdaTrigger) Execute(resource interface{}) (interface{}, error) { return nil, err } - awsSession, err := commonaws.CreateAWSSession(t.K8sClient, trigger.Namespace, trigger.Region, trigger.AccessKey, trigger.SecretKey) + awsSession, err := commonaws.CreateAWSSession(t.K8sClient, trigger.Namespace, trigger.Region, "", trigger.AccessKey, trigger.SecretKey) if err != nil { return nil, errors.Wrap(err, "failed to create a AWS session") } From 9371b048b1d3b8481f8598669ed612bd256be963 Mon Sep 17 00:00:00 2001 From: Saravanan Balasubramanian Date: Mon, 2 Mar 2020 11:32:55 -0800 Subject: [PATCH 2/2] added test --- gateways/server/common/aws/aws_test.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/gateways/server/common/aws/aws_test.go b/gateways/server/common/aws/aws_test.go index 289f615f11..2277d6da03 100644 --- a/gateways/server/common/aws/aws_test.go +++ b/gateways/server/common/aws/aws_test.go @@ -83,4 +83,13 @@ func TestAWS(t *testing.T) { convey.So(session, convey.ShouldNotBeNil) }) }) + + convey.Convey("create AWS credential using assume roleARN", t, func(){ + convey.Convey("Get a new aws session", func() { + session, err := GetAWSAssumeRoleCreds("moke-roleARN", "mock-region") + convey.So(err, convey.ShouldBeNil) + convey.So(session, convey.ShouldNotBeNil) + + }) + }) }