Initial aws secret store

3 files changed, 97 insertions, 2 deletions

diff --git a/jdisc-cloud-aws/pom.xml b/jdisc-cloud-aws/pom.xml
index 9089c5785c7..045ac1343c8 100644
--- a/jdisc-cloud-aws/pom.xml
+++ b/jdisc-cloud-aws/pom.xml
@@ -25,6 +25,18 @@
             <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-java-sdk-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-java-sdk-sts</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-java-sdk-ssm</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java
index 8e7678723e6..4fbd42402d7 100644
--- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java
+++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java
@@ -2,6 +2,14 @@
 
 package com.yahoo.jdisc.cloud.aws;
 
+import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
+import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement;
+import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient;
+import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest;
+import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult;
+import com.yahoo.container.jdisc.secretstore.SecretNotFoundException;
 import com.yahoo.container.jdisc.secretstore.SecretStore;
 
 /**
@@ -9,13 +17,49 @@ import com.yahoo.container.jdisc.secretstore.SecretStore;
  */
 public class AwsParameterStore implements SecretStore {
 
+    private final VespaAwsCredentialsProvider credentialsProvider;
+    private final String roleToAssume;
+    private final String externalId;
+
+    AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId) {
+        this.credentialsProvider = credentialsProvider;
+        this.roleToAssume = roleToAssume;
+        this.externalId = externalId;
+    }
+
     @Override
     public String getSecret(String key) {
-        return null;
+        AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder
+                .standard()
+                .withRegion("us-east-1")
+                .withCredentials(credentialsProvider)
+                .build();
+
+        STSAssumeRoleSessionCredentialsProvider assumeExtAccountRole = new STSAssumeRoleSessionCredentialsProvider
+                .Builder(roleToAssume, "vespa")
+                .withExternalId(externalId)
+                .withStsClient(tokenService)
+                .build();
+
+        AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder()
+                .withCredentials(assumeExtAccountRole)
+                .withRegion("us-east-1")
+                .build();
+
+        GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true);
+        GetParametersResult parameters = client.getParameters(parametersRequest);
+        int count = parameters.getParameters().size();
+        if (count < 1) {
+            throw new SecretNotFoundException("Could not find secret " + key + " using role " + roleToAssume);
+        } else if (count > 1) {
+            throw new RuntimeException("Found too many parameters, expected 1, but found " + count);
+        }
+        return parameters.getParameters().get(0).getValue();
     }
 
     @Override
     public String getSecret(String key, int version) {
-        return null;
+        // TODO
+        return getSecret(key);
     }
 }
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java
new file mode 100644
index 00000000000..6223f19d6de
--- /dev/null
+++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java
@@ -0,0 +1,39 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.jdisc.cloud.aws;
+
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.AWSCredentialsProvider;
+import com.amazonaws.auth.PropertiesCredentials;
+
+import java.nio.file.Path;
+import java.util.concurrent.atomic.AtomicReference;
+
+public class VespaAwsCredentialsProvider implements AWSCredentialsProvider {
+
+    private static final String DEFAULT_CREDENTIALS_PATH = "/opt/vespa/var/container-data/opt/vespa/conf/credentials.properties";
+
+    private final AtomicReference<AWSCredentials> credentials = new AtomicReference<>();
+    private final Path credentialsPath;
+
+    public VespaAwsCredentialsProvider() {
+        this.credentialsPath = Path.of(DEFAULT_CREDENTIALS_PATH);
+        refresh();
+    }
+
+    @Override
+    public AWSCredentials getCredentials() {
+        return credentials.get();
+    }
+
+    @Override
+    public void refresh() {
+        try {
+            // TODO : implement reading from json file
+            PropertiesCredentials propertiesCredentials = new PropertiesCredentials(this.credentialsPath.toFile());
+            credentials.set(propertiesCredentials);
+        } catch (Exception e) {
+            throw new RuntimeException("Unable to get credentials in " + credentialsPath.toString(), e);
+        }
+    }
+}