diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-02 17:35:20 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-04 13:31:52 +0100 |
commit | 301f68c3b48b5ecbb94e0671fd710d0672afb046 (patch) | |
tree | 4b09f3fd36690c0ea4a90657dafd34b52bb4af1a /jdisc-cloud-aws | |
parent | 65b1933e6b2c1b5a2b2c678490590c2ad1af3cc2 (diff) |
Add cloud secret store config
Diffstat (limited to 'jdisc-cloud-aws')
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java | 9 | ||||
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java | 21 |
2 files changed, 23 insertions, 7 deletions
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java index 4fbd42402d7..1636c6aeb6d 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java @@ -9,6 +9,7 @@ import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient; import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest; import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult; +import com.yahoo.cloud.config.SecretStoreConfig; import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; @@ -20,18 +21,20 @@ public class AwsParameterStore implements SecretStore { private final VespaAwsCredentialsProvider credentialsProvider; private final String roleToAssume; private final String externalId; + private final String region; - AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId) { + AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId, String region) { this.credentialsProvider = credentialsProvider; this.roleToAssume = roleToAssume; this.externalId = externalId; + this.region = region; } @Override public String getSecret(String key) { AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder .standard() - .withRegion("us-east-1") + .withRegion(region) .withCredentials(credentialsProvider) .build(); @@ -43,7 +46,7 @@ public class AwsParameterStore implements SecretStore { AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder() .withCredentials(assumeExtAccountRole) - .withRegion("us-east-1") + .withRegion(region) .build(); GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true); diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java index 91b643066fb..5d5cad2f75d 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java @@ -2,6 +2,7 @@ package com.yahoo.jdisc.cloud.aws; import com.google.inject.Inject; +import com.yahoo.cloud.config.SecretStoreConfig; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.container.jdisc.LoggingRequestHandler; @@ -28,16 +29,18 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler { private static final Logger log = Logger.getLogger(AwsParameterStoreValidationHandler.class.getName()); private final VespaAwsCredentialsProvider credentialsProvider; + private final SecretStoreConfig secretStoreConfig; @Inject - public AwsParameterStoreValidationHandler(Context ctx) { - this(ctx, new VespaAwsCredentialsProvider()); + public AwsParameterStoreValidationHandler(Context ctx, SecretStoreConfig secretStoreConfig) { + this(ctx, secretStoreConfig, new VespaAwsCredentialsProvider()); } - public AwsParameterStoreValidationHandler(Context ctx, VespaAwsCredentialsProvider credentialsProvider) { + public AwsParameterStoreValidationHandler(Context ctx, SecretStoreConfig secretStoreConfig, VespaAwsCredentialsProvider credentialsProvider) { super(ctx); this.credentialsProvider = credentialsProvider; + this.secretStoreConfig = secretStoreConfig; } @@ -64,7 +67,8 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler { try { var arn = "arn:aws:iam::" + settings.awsId + ":role/" + settings.role; - var store = new AwsParameterStore(this.credentialsProvider, arn, settings.externalId); + var region = getRegion(settings); + var store = new AwsParameterStore(this.credentialsProvider, arn, settings.externalId, region); store.getSecret("vespa-secret"); root.setString("status", "ok"); } catch (RuntimeException e) { @@ -86,6 +90,15 @@ public class AwsParameterStoreValidationHandler extends LoggingRequestHandler { } } + private String getRegion(AwsSettings settings) { + return secretStoreConfig.groups() + .stream() + .filter(group -> group.name().equals(settings.name)) + .map(SecretStoreConfig.Groups::region) + .findFirst() + .orElseThrow(() -> new RuntimeException("No secret store named '" + settings.name + "' configured in services.xml")); + } + private static class AwsSettings { String name; String role; |