Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(postgres): add iam roles anywhere auth profile #3604

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(postgres): add iam roles anywhere auth profile #3604

wants to merge 6 commits into from
+426 −204

Conversation

sicoyle
Copy link
Contributor

@sicoyle sicoyle commented Nov 15, 2024
edited
Loading

Description

Add IAM Roles Anywhere auth profile to PostgreSQL components.

I saw where we've had fields like awsAccessKey and awsSecretKey fields specific to postgres. However, in the AWS built in profiles for authentication we have accessKey and secretKey. I've moved things to where we have some TODO comments to remove those aws prefixed fields in Dapr 1.17; however, to not break existing users, we cannot just remove these additional fields. Due to this, I had to manually manipulate the metadata bundle even further unfortunately. This is something we should never do. However, again in the case of the auth profile titled "AWS: Access Key ID and Secret Access Key" I am forced to update the manipulations further to make the normally required accessKey and secretKey fields as non-required as we make a transition in the next two releases to the normalized AWS auth profile fields without the aws prefix.

AWS Auth profiles with these changes:


{
          "title": "AWS: Access Key ID and Secret Access Key",
          "description": "Authenticate using an Access Key ID and Secret Access Key included in the metadata",
          "metadata": [
            {
              "name": "useAWSIAM",
              "description": "Must be set to `true` to enable the component to retrieve access tokens from AWS IAM.\nThis authentication method only works with AWS Relational Database Service for PostgreSQL databases.",
              "required": true,
              "type": "bool",
              "example": "\"true\""
            },
            {
              "name": "connectionString",
              "description": "The connection string for the PostgreSQL database\nThis must contain the user, which corresponds to the name of the user created inside PostgreSQL that maps to the AWS IAM policy. This connection string should not contain any password. Note that the database name field is denoted by dbname with AWS.",
              "required": true,
              "sensitive": true,
              "type": "string",
              "example": "\"host=mydb.postgres.database.aws.com user=myapplication port=5432 dbname=dapr_test sslmode=require\"\n"
            },
            {
              "name": "awsAccessKey",
              "description": "Deprecated as of Dapr 1.17. Use 'accessKey' instead if using AWS IAM.\nIf both fields are set, then 'accessKey' value will be used.\nAWS access key associated with an IAM account.",
              "type": "string",
              "example": "\"AKIAIOSFODNN7EXAMPLE\""
            },
            {
              "name": "awsSecretKey",
              "description": "Deprecated as of Dapr 1.17. Use 'secretKey' instead if using AWS IAM.\nIf both fields are set, then 'secretKey' value will be used.\nThe secret key associated with the access key.",
              "sensitive": true,
              "type": "string",
              "example": "\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\""
            },
            {
              "name": "awsRegion",
              "description": "The AWS Region where the AWS resource is deployed to.",
              "required": true,
              "type": "string",
              "example": "\"us-east-1\""
            },
            {
              "name": "accessKey",
              "description": "AWS access key associated with an IAM account",
              "sensitive": true,
              "example": "\"AKIAIOSFODNN7EXAMPLE\""
            },
            {
              "name": "secretKey",
              "description": "The secret key associated with the access key",
              "sensitive": true,
              "example": "\"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\""
            },
            {
              "name": "sessionToken",
              "description": "AWS session token to use. A session token is only required if you are using\ntemporary security credentials.",
              "sensitive": true,
              "type": "string",
              "example": "\"TOKEN\""
            }
          ]
        },
        {
          "title": "AWS: Credentials from Environment Variables",
          "description": "Use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the environment",
          "metadata": [
            {
              "name": "useAWSIAM",
              "description": "Must be set to `true` to enable the component to retrieve access tokens from AWS IAM.\nThis authentication method only works with AWS Relational Database Service for PostgreSQL databases.",
              "required": true,
              "type": "bool",
              "example": "\"true\""
            },
            {
              "name": "connectionString",
              "description": "The connection string for the PostgreSQL database\nThis must contain the user, which corresponds to the name of the user created inside PostgreSQL that maps to the AWS IAM policy. This connection string should not contain any password. Note that the database name field is denoted by dbname with AWS.",
              "required": true,
              "sensitive": true,
              "type": "string",
              "example": "\"host=mydb.postgres.database.aws.com user=myapplication port=5432 dbname=dapr_test sslmode=require\"\n"
            }
          ]
        },
        {
          "title": "AWS: IAM Roles Anywhere",
          "description": "Use X.509 certificates to establish trust between AWS and your AWS account and the Dapr cluster using AWS IAM Roles Anywhere.",
          "metadata": [
            {
              "name": "useAWSIAM",
              "description": "Must be set to `true` to enable the component to retrieve access tokens from AWS IAM.\nThis authentication method only works with AWS Relational Database Service for PostgreSQL databases.",
              "required": true,
              "type": "bool",
              "example": "\"true\""
            },
            {
              "name": "connectionString",
              "description": "The connection string for the PostgreSQL database\nThis must contain the user, which corresponds to the name of the user created inside PostgreSQL that maps to the AWS IAM policy. This connection string should not contain any password. Note that the database name field is denoted by dbname with AWS.",
              "required": true,
              "sensitive": true,
              "type": "string",
              "example": "\"host=mydb.postgres.database.aws.com user=myapplication port=5432 dbname=dapr_test sslmode=require\"\n"
            },
            {
              "name": "trustAnchorArn",
              "description": "ARN of the AWS Trust Anchor in the AWS account granting trust to the Dapr Certificate Authority.",
              "required": true,
              "example": "arn:aws:rolesanywhere:us-west-1:012345678910:trust-anchor/01234568-0123-0123-0123-012345678901"
            },
            {
              "name": "trustProfileArn",
              "description": "ARN of the AWS IAM Profile in the trusting AWS account.",
              "required": true,
              "example": "arn:aws:rolesanywhere:us-west-1:012345678910:profile/01234568-0123-0123-0123-012345678901"
            },
            {
              "name": "assumeRoleArn",
              "description": "ARN of the AWS IAM role to assume in the trusting AWS account.",
              "required": true,
              "example": "arn:aws:iam:012345678910:role/exampleIAMRoleName"
            }
          ]
        }

Issue reference

We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.

Please reference the issue this PR will close: #[issue number]

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

  • Code compiles correctly
  • Created/updated tests
  • Extended the documentation / Created issue in the https://github.com/dapr/docs/ repo: dapr/docs#[issue number]

@sicoyle sicoyle requested review from a team as code owners November 15, 2024 23:25
@sicoyle sicoyle changed the title Feat iam roles anywhere postgres feat(postgres): add iam roles anywhere auth profile Nov 15, 2024
@sicoyle
Copy link
Contributor Author

sicoyle commented Nov 19, 2024

/ok-to-test

@dapr-bot
Copy link
Collaborator

Complete Build Matrix

The build status is currently not updated here. Please visit the action run below directly.

🔗 Link to Action run

Commit ref: 0e4401c

@dapr-bot
Copy link
Collaborator

dapr-bot commented Nov 19, 2024
edited
Loading

Components conformance test

🔗 Link to Action run

Commit ref: 0e4401c

❌ Some conformance tests failed

These tests failed:

  • bindings.azure.eventgrid
  • state.sqlserver

@dapr-bot
Copy link
Collaborator

dapr-bot commented Nov 19, 2024
edited
Loading

Components certification test

🔗 Link to Action run

Commit ref: 0e4401c

❌ Some certification tests failed

These tests failed:

  • bindings.azure.eventhubs
  • pubsub.gcp.pubsub
  • state.azure.cosmosdb

famarting
famarting reviewed Nov 19, 2024
View reviewed changes
common/authentication/aws/static.go
func (a *StaticAuth) getDatabaseToken(ctx context.Context, poolConfig *pgxpool.Config) (string, error) {
dbEndpoint := poolConfig.ConnConfig.Host + ":" + strconv.Itoa(int(poolConfig.ConnConfig.Port))
switch {
case a.accessKey != nil && a.secretKey != nil:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rather than this I would do a simple if statement, much simpler to read

@famarting
Copy link
Contributor

so this PR is missing the assume role auth profile, right?

@sicoyle
Copy link
Contributor Author

sicoyle commented Nov 20, 2024

https://github.com/dapr/components-contrib/pull/3607/files
yes, didn't want to bring in a bunch into this 1 PR, but after I get the kafka PR merged then this will be an easy add here.

Pls give me a sec on this PR bc I do need to make tweaks, but doing the kafka PR first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@famarting famarting famarting left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sicoyle @dapr-bot @famarting