diff --git a/play-with-sld/kubernetes/k8s/sld-api-backend.yml b/play-with-sld/kubernetes/k8s/sld-api-backend.yml index 6e4fa43..6f9b7ff 100644 --- a/play-with-sld/kubernetes/k8s/sld-api-backend.yml +++ b/play-with-sld/kubernetes/k8s/sld-api-backend.yml @@ -17,7 +17,7 @@ spec: subdomain: primary containers: - name: api-backend - image: d10s0vsky/sld-api:v3.6.0 + image: d10s0vsky/sld-api:v3.6.1 imagePullPolicy: Always command: ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--workers", "1"] ports: diff --git a/play-with-sld/kubernetes/k8s/sld-dashboard.yml b/play-with-sld/kubernetes/k8s/sld-dashboard.yml index 287dcbe..f2ae470 100644 --- a/play-with-sld/kubernetes/k8s/sld-dashboard.yml +++ b/play-with-sld/kubernetes/k8s/sld-dashboard.yml @@ -17,7 +17,7 @@ spec: subdomain: primary containers: - name: sld-dashboard - image: d10s0vsky/sld-dashboard:v3.6.0 + image: d10s0vsky/sld-dashboard:v3.6.1 env: - name: PATH value: "/home/sld/.asdf/shims:/home/sld/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" diff --git a/play-with-sld/kubernetes/k8s/sld-worker-default.yml b/play-with-sld/kubernetes/k8s/sld-worker-default.yml index 738fa21..15538e5 100644 --- a/play-with-sld/kubernetes/k8s/sld-worker-default.yml +++ b/play-with-sld/kubernetes/k8s/sld-worker-default.yml @@ -17,7 +17,7 @@ spec: subdomain: primary containers: - name: stack-deploy-worker-default - image: d10s0vsky/sld-api:v3.6.0 + image: d10s0vsky/sld-api:v3.6.1 imagePullPolicy: Always env: - name: TF_WARN_OUTPUT_ERRORS diff --git a/play-with-sld/kubernetes/k8s/sld-worker-squad1.yml b/play-with-sld/kubernetes/k8s/sld-worker-squad1.yml index d3e137e..de26ce4 100644 --- a/play-with-sld/kubernetes/k8s/sld-worker-squad1.yml +++ b/play-with-sld/kubernetes/k8s/sld-worker-squad1.yml @@ -17,7 +17,7 @@ spec: subdomain: primary containers: - name: stack-deploy-worker-squad1 - image: d10s0vsky/sld-api:v3.6.0 + image: d10s0vsky/sld-api:v3.6.1 imagePullPolicy: Always env: - name: TF_WARN_OUTPUT_ERRORS diff --git a/play-with-sld/kubernetes/k8s/sld-worker-squad2.yml b/play-with-sld/kubernetes/k8s/sld-worker-squad2.yml index 32a34bb..1e06dda 100644 --- a/play-with-sld/kubernetes/k8s/sld-worker-squad2.yml +++ b/play-with-sld/kubernetes/k8s/sld-worker-squad2.yml @@ -17,7 +17,7 @@ spec: subdomain: primary containers: - name: stack-deploy-worker-squad2 - image: d10s0vsky/sld-api:v3.6.0 + image: d10s0vsky/sld-api:v3.6.1 imagePullPolicy: Always env: - name: TF_WARN_OUTPUT_ERRORS diff --git a/sld-api-backend/src/worker/security/providers_credentials.py b/sld-api-backend/src/worker/security/providers_credentials.py index 7cd9336..743bd91 100644 --- a/sld-api-backend/src/worker/security/providers_credentials.py +++ b/sld-api-backend/src/worker/security/providers_credentials.py @@ -3,6 +3,7 @@ import json import logging import os +import boto3 from config.api import settings from src.shared.security.vault import vault_decrypt @@ -31,6 +32,29 @@ def export(self): os.environ[k] = v +def aws_credentials_context(secreto: dict, session_name: str = "sld-worker"): + try: + os.environ["AWS_ACCESS_KEY_ID"] = decrypt(secreto.get("access_key_id")) + os.environ["AWS_SECRET_ACCESS_KEY"] = decrypt(secreto.get("secret_access_key")) + os.environ["AWS_DEFAULT_REGION"] = secreto.get("default_region") + + if secreto.get("role_arn"): + sts_client = boto3.client( + 'sts', + aws_access_key_id=decrypt(secreto.get("access_key_id")), + aws_secret_access_key=decrypt(secreto.get("secret_access_key")), + ) + assumed_role = sts_client.assume_role(RoleArn=secreto.get("role_arn"), RoleSessionName=session_name) + credentials = assumed_role['Credentials'] + os.environ['AWS_ACCESS_KEY_ID'] = credentials['AccessKeyId'] + os.environ['AWS_SECRET_ACCESS_KEY'] = credentials['SecretAccessKey'] + os.environ["AWS_DEFAULT_REGION"] = secreto.get("default_region") + os.environ['AWS_SESSION_TOKEN'] = credentials['SessionToken'] + os.environ["TF_VAR_role_arn"] = secreto.get("role_arn") + except Exception as err: + logging.error(err) + + def createLocalFolder(dir_path: str): try: os.makedirs(dir_path) @@ -48,20 +72,8 @@ def secret( secreto, ): if any(i in stack_name.lower() for i in settings.AWS_PREFIX): - try: - export_environment_variables(secreto) - os.environ["AWS_ACCESS_KEY_ID"] = decrypt(secreto.get("access_key_id")) - os.environ["AWS_SECRET_ACCESS_KEY"] = decrypt(secreto.get("secret_access_key")) - os.environ["AWS_DEFAULT_REGION"] = secreto.get("default_region") - if secreto.get("role_arn"): - logging.info("Set role_arn for assume role") - os.environ["TF_VAR_role_arn"] = secreto.get("role_arn") - logging.info(f"TF_VAR_role_arn = {secreto.get('role_arn')}") - logging.info( - f'Set aws account {squad}, {environment}, {stack_name}, {secreto.get("default_region")}, {name}' - ) - except Exception as err: - logging.warning(err) + session_name = f"{squad}-{environment}-{name}" + aws_credentials_context(secreto=secreto, session_name=session_name) elif any(i in stack_name.lower() for i in settings.GCLOUD_PREFIX): export_environment_variables(secreto) diff --git a/sld-dashboard/app/home/forms.py b/sld-dashboard/app/home/forms.py index 703370b..d3a3308 100644 --- a/sld-dashboard/app/home/forms.py +++ b/sld-dashboard/app/home/forms.py @@ -240,7 +240,7 @@ class AwsForm(FlaskForm): role_arn = StringField( "Role_arn", [ - validators.length(min=4, max=50, message="Role arn out of reange."), + validators.length(min=4, max=300, message="Role arn out of reange."), ], ) extra_variables = FieldList(FormField(ExtraVariableForm), label='Extra Variables')