diff options
Diffstat (limited to 'jdisc-cloud-aws/src/main/java')
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java | 48 | ||||
-rw-r--r-- | jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java | 39 |
2 files changed, 85 insertions, 2 deletions
diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java index 8e7678723e6..4fbd42402d7 100644 --- a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStore.java @@ -2,6 +2,14 @@ package com.yahoo.jdisc.cloud.aws; +import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider; +import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; +import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement; +import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient; +import com.amazonaws.services.simplesystemsmanagement.model.GetParametersRequest; +import com.amazonaws.services.simplesystemsmanagement.model.GetParametersResult; +import com.yahoo.container.jdisc.secretstore.SecretNotFoundException; import com.yahoo.container.jdisc.secretstore.SecretStore; /** @@ -9,13 +17,49 @@ import com.yahoo.container.jdisc.secretstore.SecretStore; */ public class AwsParameterStore implements SecretStore { + private final VespaAwsCredentialsProvider credentialsProvider; + private final String roleToAssume; + private final String externalId; + + AwsParameterStore(VespaAwsCredentialsProvider credentialsProvider, String roleToAssume, String externalId) { + this.credentialsProvider = credentialsProvider; + this.roleToAssume = roleToAssume; + this.externalId = externalId; + } + @Override public String getSecret(String key) { - return null; + AWSSecurityTokenService tokenService = AWSSecurityTokenServiceClientBuilder + .standard() + .withRegion("us-east-1") + .withCredentials(credentialsProvider) + .build(); + + STSAssumeRoleSessionCredentialsProvider assumeExtAccountRole = new STSAssumeRoleSessionCredentialsProvider + .Builder(roleToAssume, "vespa") + .withExternalId(externalId) + .withStsClient(tokenService) + .build(); + + AWSSimpleSystemsManagement client = AWSSimpleSystemsManagementClient.builder() + .withCredentials(assumeExtAccountRole) + .withRegion("us-east-1") + .build(); + + GetParametersRequest parametersRequest = new GetParametersRequest().withNames(key).withWithDecryption(true); + GetParametersResult parameters = client.getParameters(parametersRequest); + int count = parameters.getParameters().size(); + if (count < 1) { + throw new SecretNotFoundException("Could not find secret " + key + " using role " + roleToAssume); + } else if (count > 1) { + throw new RuntimeException("Found too many parameters, expected 1, but found " + count); + } + return parameters.getParameters().get(0).getValue(); } @Override public String getSecret(String key, int version) { - return null; + // TODO + return getSecret(key); } } diff --git a/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java new file mode 100644 index 00000000000..6223f19d6de --- /dev/null +++ b/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/VespaAwsCredentialsProvider.java @@ -0,0 +1,39 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.jdisc.cloud.aws; + +import com.amazonaws.auth.AWSCredentials; +import com.amazonaws.auth.AWSCredentialsProvider; +import com.amazonaws.auth.PropertiesCredentials; + +import java.nio.file.Path; +import java.util.concurrent.atomic.AtomicReference; + +public class VespaAwsCredentialsProvider implements AWSCredentialsProvider { + + private static final String DEFAULT_CREDENTIALS_PATH = "/opt/vespa/var/container-data/opt/vespa/conf/credentials.properties"; + + private final AtomicReference<AWSCredentials> credentials = new AtomicReference<>(); + private final Path credentialsPath; + + public VespaAwsCredentialsProvider() { + this.credentialsPath = Path.of(DEFAULT_CREDENTIALS_PATH); + refresh(); + } + + @Override + public AWSCredentials getCredentials() { + return credentials.get(); + } + + @Override + public void refresh() { + try { + // TODO : implement reading from json file + PropertiesCredentials propertiesCredentials = new PropertiesCredentials(this.credentialsPath.toFile()); + credentials.set(propertiesCredentials); + } catch (Exception e) { + throw new RuntimeException("Unable to get credentials in " + credentialsPath.toString(), e); + } + } +} |