Merge pull request #235 from D10S0VSkY-OSS/refactor/aws-assume-role

🔧refactor: aws asume role
D10S0VSkY-OSS · Jan 19, 2024 · f8b8d69 · f8b8d69
2 parents 144c927 + 535f38b
commit f8b8d69
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 20 deletions.
diff --git a/play-with-sld/kubernetes/k8s/sld-api-backend.yml b/play-with-sld/kubernetes/k8s/sld-api-backend.yml
@@ -17,7 +17,7 @@ spec:
       subdomain: primary
       containers:
       - name: api-backend
-        image: d10s0vsky/sld-api:v3.6.0
+        image: d10s0vsky/sld-api:v3.6.1
         imagePullPolicy: Always
         command: ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--workers", "1"]
         ports:

diff --git a/play-with-sld/kubernetes/k8s/sld-dashboard.yml b/play-with-sld/kubernetes/k8s/sld-dashboard.yml
@@ -17,7 +17,7 @@ spec:
       subdomain: primary
       containers:
         - name: sld-dashboard
-          image: d10s0vsky/sld-dashboard:v3.6.0
+          image: d10s0vsky/sld-dashboard:v3.6.1
           env:
           - name: PATH
             value: "/home/sld/.asdf/shims:/home/sld/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

diff --git a/play-with-sld/kubernetes/k8s/sld-worker-default.yml b/play-with-sld/kubernetes/k8s/sld-worker-default.yml
@@ -17,7 +17,7 @@ spec:
       subdomain: primary
       containers:
         - name: stack-deploy-worker-default
-          image: d10s0vsky/sld-api:v3.6.0
+          image: d10s0vsky/sld-api:v3.6.1
           imagePullPolicy: Always
           env:
           - name: TF_WARN_OUTPUT_ERRORS

diff --git a/play-with-sld/kubernetes/k8s/sld-worker-squad1.yml b/play-with-sld/kubernetes/k8s/sld-worker-squad1.yml
@@ -17,7 +17,7 @@ spec:
       subdomain: primary
       containers:
         - name: stack-deploy-worker-squad1
-          image: d10s0vsky/sld-api:v3.6.0
+          image: d10s0vsky/sld-api:v3.6.1
           imagePullPolicy: Always
           env:
           - name: TF_WARN_OUTPUT_ERRORS

diff --git a/play-with-sld/kubernetes/k8s/sld-worker-squad2.yml b/play-with-sld/kubernetes/k8s/sld-worker-squad2.yml
@@ -17,7 +17,7 @@ spec:
       subdomain: primary
       containers:
         - name: stack-deploy-worker-squad2
-          image: d10s0vsky/sld-api:v3.6.0
+          image: d10s0vsky/sld-api:v3.6.1
           imagePullPolicy: Always
           env:
           - name: TF_WARN_OUTPUT_ERRORS

diff --git a/sld-api-backend/src/worker/security/providers_credentials.py b/sld-api-backend/src/worker/security/providers_credentials.py
@@ -3,6 +3,7 @@
 import json
 import logging
 import os
+import boto3
 
 from config.api import settings
 from src.shared.security.vault import vault_decrypt
@@ -31,6 +32,29 @@ def export(self):
             os.environ[k] = v
 
 
+def aws_credentials_context(secreto: dict, session_name: str = "sld-worker"):
+    try:
+        os.environ["AWS_ACCESS_KEY_ID"] = decrypt(secreto.get("access_key_id"))
+        os.environ["AWS_SECRET_ACCESS_KEY"] = decrypt(secreto.get("secret_access_key"))
+        os.environ["AWS_DEFAULT_REGION"] = secreto.get("default_region")
+
+        if secreto.get("role_arn"):
+            sts_client = boto3.client(
+                'sts',
+                aws_access_key_id=decrypt(secreto.get("access_key_id")),
+                aws_secret_access_key=decrypt(secreto.get("secret_access_key")),
+            )
+            assumed_role = sts_client.assume_role(RoleArn=secreto.get("role_arn"), RoleSessionName=session_name)
+            credentials = assumed_role['Credentials']
+            os.environ['AWS_ACCESS_KEY_ID'] = credentials['AccessKeyId']
+            os.environ['AWS_SECRET_ACCESS_KEY'] = credentials['SecretAccessKey']
+            os.environ["AWS_DEFAULT_REGION"] = secreto.get("default_region")
+            os.environ['AWS_SESSION_TOKEN'] = credentials['SessionToken']
+            os.environ["TF_VAR_role_arn"] = secreto.get("role_arn")
+    except Exception as err:
+        logging.error(err)
+
+
 def createLocalFolder(dir_path: str):
     try:
         os.makedirs(dir_path)
@@ -48,20 +72,8 @@ def secret(
     secreto,
 ):
     if any(i in stack_name.lower() for i in settings.AWS_PREFIX):
-        try:
-            export_environment_variables(secreto)
-            os.environ["AWS_ACCESS_KEY_ID"] = decrypt(secreto.get("access_key_id"))
-            os.environ["AWS_SECRET_ACCESS_KEY"] = decrypt(secreto.get("secret_access_key"))
-            os.environ["AWS_DEFAULT_REGION"] = secreto.get("default_region")
-            if secreto.get("role_arn"):
-                logging.info("Set role_arn for assume role")
-                os.environ["TF_VAR_role_arn"] = secreto.get("role_arn")
-                logging.info(f"TF_VAR_role_arn = {secreto.get('role_arn')}")
-            logging.info(
-                f'Set aws account {squad}, {environment}, {stack_name}, {secreto.get("default_region")}, {name}'
-            )
-        except Exception as err:
-            logging.warning(err)
+        session_name = f"{squad}-{environment}-{name}"
+        aws_credentials_context(secreto=secreto, session_name=session_name)
 
     elif any(i in stack_name.lower() for i in settings.GCLOUD_PREFIX):
         export_environment_variables(secreto)

diff --git a/sld-dashboard/app/home/forms.py b/sld-dashboard/app/home/forms.py
@@ -240,7 +240,7 @@ class AwsForm(FlaskForm):
     role_arn = StringField(
         "Role_arn",
         [
-            validators.length(min=4, max=50, message="Role arn out of reange."),
+            validators.length(min=4, max=300, message="Role arn out of reange."),
         ],
     )
     extra_variables = FieldList(FormField(ExtraVariableForm), label='Extra Variables')