diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-03 16:49:01 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-04 13:33:47 +0100 |
commit | 9a99b7bd1345e7c89bf842143e1bdbcdee1adfe5 (patch) | |
tree | 2fc5d724a1250e62777c2df3545e3fc383423f89 /jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java | |
parent | 301f68c3b48b5ecbb94e0671fd710d0672afb046 (diff) |
Include tenant secret stores in deploy call
AwsParameterStore iterates through configured stores to find secret
Set up AwsParameterStore
ModelContextImpl properties fetches external ID for every tenant secret store
Diffstat (limited to 'jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java')
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java | 67 |
1 files changed, 36 insertions, 31 deletions
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java index 1636c6aeb6d..e23dc54f4c6 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java @@ -9,55 +9,56 @@ import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient; import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest; import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult; +import com.google.inject.Inject; import com.yahoo.cloud.config.SecretStoreConfig; +import com.yahoo.component.AbstractComponent; import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; /** * @author mortent */ -public class AwsParameterStore implements SecretStore { +public class AwsParameterStore extends AbstractComponent implements SecretStore { private final VespaAwsCredentialsProvider credentialsProvider; - private final String roleToAssume; - private final String externalId; - private final String region; + private final SecretStoreConfig secretStoreConfig; - AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId, String region) { - this.credentialsProvider = credentialsProvider; - this.roleToAssume = roleToAssume; - this.externalId = externalId; - this.region = region; + @Inject + public AwsParameterStore(SecretStoreConfig secretStoreConfig) { + this.secretStoreConfig = secretStoreConfig; + this.credentialsProvider = new VespaAwsCredentialsProvider(); } @Override public String getSecret(String key) { - AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder - .standard() - .withRegion(region) - .withCredentials(credentialsProvider) - .build(); + for (var group : secretStoreConfig.groups()) { + AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder + .standard() + .withRegion(group.region()) + .withCredentials(credentialsProvider) + .build(); - STSAssumeRoleSessionCredentialsProvider assumeExtAccountRole = new STSAssumeRoleSessionCredentialsProvider - .Builder(roleToAssume, "vespa") - .withExternalId(externalId) - .withStsClient(tokenService) - .build(); + STSAssumeRoleSessionCredentialsProvider assumeExtAccountRole = new STSAssumeRoleSessionCredentialsProvider + .Builder(toRoleArn(group.awsId(), group.role()), "vespa") + .withExternalId(group.externalId()) + .withStsClient(tokenService) + .build(); - AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder() - .withCredentials(assumeExtAccountRole) - .withRegion(region) - .build(); + AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder() + .withCredentials(assumeExtAccountRole) + .withRegion(group.region()) + .build(); - GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true); - GetParametersResult parameters = client.getParameters(parametersRequest); - int count = parameters.getParameters().size(); - if (count < 1) { - throw new SecretNotFoundException("Could not find secret " + key + " using role " + roleToAssume); - } else if (count > 1) { - throw new RuntimeException("Found too many parameters, expected 1, but found " + count); + GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true); + GetParametersResult parameters = client.getParameters(parametersRequest); + int count = parameters.getParameters().size(); + if (count == 1) { + return parameters.getParameters().get(0).getValue(); + } else if (count > 1) { + throw new RuntimeException("Found too many parameters, expected 1, but found " + count); + } } - return parameters.getParameters().get(0).getValue(); + throw new SecretNotFoundException("Could not find secret " + key + " in any configured secret store"); } @Override @@ -65,4 +66,8 @@ public class AwsParameterStore implements SecretStore { // TODO return getSecret(key); } + + private String toRoleArn(String awsId, String role) { + return "arn:aws:iam::" + awsId + ":role/" + role; + } } |