diff options
Diffstat (limited to 'jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java')
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java | 48 |
1 files changed, 46 insertions, 2 deletions
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java index 8e7678723e6..4fbd42402d7 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java @@ -2,6 +2,14 @@ package com.yahoo.jdisc.cloud.aws; +import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider; +import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; +import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement; +import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient; +import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest; +import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult; +import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; /** @@ -9,13 +17,49 @@ import com.yahoo.container.jdisc.secretstore.SecretStore; */ public class AwsParameterStore implements SecretStore { + private final VespaAwsCredentialsProvider credentialsProvider; + private final String roleToAssume; + private final String externalId; + + AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId) { + this.credentialsProvider = credentialsProvider; + this.roleToAssume = roleToAssume; + this.externalId = externalId; + } + @Override public String getSecret(String key) { - return null; + AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder + .standard() + .withRegion("us-east-1") + .withCredentials(credentialsProvider) + .build(); + + STSAssumeRoleSessionCredentialsProvider assumeExtAccountRole = new STSAssumeRoleSessionCredentialsProvider + .Builder(roleToAssume, "vespa") + .withExternalId(externalId) + .withStsClient(tokenService) + .build(); + + AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder() + .withCredentials(assumeExtAccountRole) + .withRegion("us-east-1") + .build(); + + GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true); + GetParametersResult parameters = client.getParameters(parametersRequest); + int count = parameters.getParameters().size(); + if (count < 1) { + throw new SecretNotFoundException("Could not find secret " + key + " using role " + roleToAssume); + } else if (count > 1) { + throw new RuntimeException("Found too many parameters, expected 1, but found " + count); + } + return parameters.getParameters().get(0).getValue(); } @Override public String getSecret(String key, int version) { - return null; + // TODO + return getSecret(key); } } |