Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add role based access support in dynamo db #770

Merged
merged 2 commits into from
Sep 3, 2024
Merged

Add role based access support in dynamo db #770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1e09c76
Add role based dynamo db access support
chaitanyasingla-dt Aug 9, 2024
8edc241
Merge branch 'main' into role-based-dyanmodb-access
schmidtw Sep 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions argus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ store:
# secretKey is the AWS secretKey to go with the accessKey to access dynamodb.
secretKey: "secretKey"

# If roleBasedAccess is enabled, accessKey and secretKey will be fetched using IAM temporary credentials
roleBasedAccess: false

#yugabyte:
# # hosts is and array of address and port used to connect to the cluster.
# hosts:
Expand Down
56 changes: 52 additions & 4 deletions store/dynamodb/db.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,15 @@

import (
"errors"
"fmt"
"net/http"
"os"
"time"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/go-playground/validator/v10"
"github.com/xmidt-org/argus/model"
"github.com/xmidt-org/argus/store"
Expand Down Expand Up @@ -69,6 +72,9 @@
// dual stack (IPv4 and IPv6).
// (Optional) Defaults to False.
DisableDualStack bool

// If roleBasedAccess is enabled, accessKey and secretKey will be fetched using IAM temporary credentials
RoleBasedAccess bool
}

// dao adapts the underlying dynamodb data service to match
Expand All @@ -89,16 +95,44 @@
return nil, err
}

var creds credentials.Value
if config.RoleBasedAccess {
awsRegion, err := getAwsRegionForRoleBasedAccess(config)
if err != nil {
return nil, err

Check warning on line 102 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L98-L102 

Added lines #L98 - L102 were not covered by tests
}

sess, err := session.NewSession(&aws.Config{
Region: aws.String(awsRegion)},
)
if err != nil {
return nil, err

Check warning on line 109 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L105-L109 

Added lines #L105 - L109 were not covered by tests
}

value, err := sess.Config.Credentials.Get()
if err != nil {
return nil, err

Check warning on line 114 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L112-L114 

Added lines #L112 - L114 were not covered by tests
}

creds = credentials.Value{
AccessKeyID: value.AccessKeyID,
SecretAccessKey: value.SecretAccessKey,
SessionToken: value.SessionToken,

Check warning on line 120 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L117-L120 

Added lines #L117 - L120 were not covered by tests
}
} else {
creds = credentials.Value{
AccessKeyID: config.AccessKey,
SecretAccessKey: config.SecretKey,

Check warning on line 125 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L122-L125 

Added lines #L122 - L125 were not covered by tests
}
}

awsConfig := *aws.NewConfig().
WithEndpoint(config.Endpoint).
WithUseDualStack(!config.DisableDualStack).
WithMaxRetries(config.MaxRetries).
WithCredentialsChainVerboseErrors(true).
WithRegion(config.Region).
WithCredentials(credentials.NewStaticCredentialsFromCreds(credentials.Value{
AccessKeyID: config.AccessKey,
SecretAccessKey: config.SecretKey,
}))
WithCredentials(credentials.NewStaticCredentialsFromCreds(creds))

Check warning on line 135 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L135 

Added line #L135 was not covered by tests

svc, err := newService(awsConfig, "", config.Table, int64(config.GetAllLimit), &measures)
if err != nil {
Expand All @@ -111,6 +145,20 @@
}, nil
}

func getAwsRegionForRoleBasedAccess(config Config) (string, error) {
awsRegion := config.Region

Check warning on line 149 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L148-L149 

Added lines #L148 - L149 were not covered by tests

if len(awsRegion) == 0 {
awsRegion = os.Getenv("AWS_REGION")

Check warning on line 152 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L151-L152 

Added lines #L151 - L152 were not covered by tests
}

if len(awsRegion) == 0 {
return "", fmt.Errorf("%s", "Aws region is not provided")

Check warning on line 156 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L155-L156 

Added lines #L155 - L156 were not covered by tests
}

return awsRegion, nil

Check warning on line 159 in store/dynamodb/db.go

View check run for this annotation

Codecov / codecov/patch

store/dynamodb/db.go#L159 

Added line #L159 was not covered by tests
}

func (d dao) Push(key model.Key, item store.OwnableItem) error {
_, err := d.s.Push(key, item)
return sanitizeError(err)
Expand Down