Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Implemented Assume RoleARN for SQS and SNS #519

Merged
merged 2 commits into from
Mar 2, 2020
Merged

feat: Implemented Assume RoleARN for SQS and SNS #519

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a9f8745
Implemented Assume RoleARN for SQS and SNS
sarabala1979 Mar 2, 2020
9371b04
added test
sarabala1979 Mar 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion gateways/server/aws-sns/start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ func (router *Router) PostActivate() error {

snsEventSource := router.eventSource

awsSession, err := commonaws.CreateAWSSession(router.k8sClient, snsEventSource.Namespace, snsEventSource.Region, snsEventSource.AccessKey, snsEventSource.SecretKey)
awsSession, err := commonaws.CreateAWSSession(router.k8sClient, snsEventSource.Namespace, snsEventSource.Region, snsEventSource.RoleARN, snsEventSource.AccessKey, snsEventSource.SecretKey)
if err != nil {
return err
}
Expand Down
4 changes: 3 additions & 1 deletion gateways/server/aws-sqs/start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,9 @@ func (listener *EventListener) listenEvents(eventSource *gateways.EventSource, c
logger.Infoln("setting up aws session...")

var awsSession *session.Session
awsSession, err := commonaws.CreateAWSSession(listener.K8sClient, sqsEventSource.Namespace, sqsEventSource.Region, sqsEventSource.AccessKey, sqsEventSource.SecretKey)

awsSession, err := commonaws.CreateAWSSession(listener.K8sClient, sqsEventSource.Namespace, sqsEventSource.Region, sqsEventSource.RoleARN, sqsEventSource.AccessKey, sqsEventSource.SecretKey)

if err != nil {
return errors.Wrapf(err, "failed to create aws session for %s", eventSource.Name)
}
Expand Down
14 changes: 13 additions & 1 deletion gateways/server/common/aws/aws.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"github.com/argoproj/argo-events/store"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
corev1 "k8s.io/api/core/v1"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -55,8 +56,19 @@ func GetAWSSessionWithoutCreds(region string) (*session.Session, error) {
})
}

func GetAWSAssumeRoleCreds(roleARN, region string) (*session.Session, error) {
sess := session.Must(session.NewSession())
creds := stscreds.NewCredentials(sess, roleARN)
return GetAWSSession(creds, region)
}

// CreateAWSSession based on credentials settings return a aws session
func CreateAWSSession(client kubernetes.Interface, namespace, region string, accessKey *corev1.SecretKeySelector, secretKey *corev1.SecretKeySelector) (*session.Session, error) {
func CreateAWSSession(client kubernetes.Interface, namespace, region string, roleARN string, accessKey *corev1.SecretKeySelector, secretKey *corev1.SecretKeySelector) (*session.Session, error) {

if roleARN != "" {
return GetAWSAssumeRoleCreds(roleARN, region)
}

if accessKey == nil && secretKey == nil {
return GetAWSSessionWithoutCreds(region)
}
Expand Down
9 changes: 9 additions & 0 deletions gateways/server/common/aws/aws_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,13 @@ func TestAWS(t *testing.T) {
convey.So(session, convey.ShouldNotBeNil)
})
})

convey.Convey("create AWS credential using assume roleARN", t, func(){
convey.Convey("Get a new aws session", func() {
session, err := GetAWSAssumeRoleCreds("moke-roleARN", "mock-region")
convey.So(err, convey.ShouldBeNil)
convey.So(session, convey.ShouldNotBeNil)

})
})
}
7 changes: 7 additions & 0 deletions pkg/apis/eventsources/v1alpha1/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,10 @@ type SNSEventSource struct {
Namespace string `json:"namespace,omitempty" protobuf:"bytes,5,opt,name=namespace"`
// Region is AWS region
Region string `json:"region" protobuf:"bytes,6,name=region"`
// RoleARN is the Amazon Resource Name (ARN) of the role to assume.
// +optional
RoleARN string `json:"roleARN,omitempty" protobuf:"bytes,6,opt,name=roleARN"`

}

// SQSEventSource refers to event-source for AWS SQS related events
Expand All @@ -245,6 +249,9 @@ type SQSEventSource struct {
// Namespace refers to Kubernetes namespace to read access related secret from.
// +optional
Namespace string `json:"namespace,omitempty" protobuf:"bytes,6,opt,name=namespace"`
// RoleARN is the Amazon Resource Name (ARN) of the role to assume.
// +optional
RoleARN string `json:"roleARN,omitempty" protobuf:"bytes,6,opt,name=roleARN"`
}

// PubSubEventSource refers to event-source for GCP PubSub related events.
Expand Down
2 changes: 1 addition & 1 deletion sensors/triggers/aws-lambda/aws-lambda.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func (t *AWSLambdaTrigger) Execute(resource interface{}) (interface{}, error) {
return nil, err
}

awsSession, err := commonaws.CreateAWSSession(t.K8sClient, trigger.Namespace, trigger.Region, trigger.AccessKey, trigger.SecretKey)
awsSession, err := commonaws.CreateAWSSession(t.K8sClient, trigger.Namespace, trigger.Region, "", trigger.AccessKey, trigger.SecretKey)
if err != nil {
return nil, errors.Wrap(err, "failed to create a AWS session")
}
Expand Down