-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds a session token to AWS Credentials #6103
Adds a session token to AWS Credentials #6103
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #6103 +/- ##
=======================================
Coverage 67.13% 67.13%
=======================================
Files 3324 3324
Lines 64318 64327 +9
Branches 10344 10345 +1
=======================================
+ Hits 43178 43185 +7
- Misses 18617 18618 +1
- Partials 2523 2524 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@bandinib-amzn would you add a little background why we has to add is it a optional parameter or required? |
Added more details in description. It is optional parameter. |
042abe7
to
ade9ac7
Compare
@@ -199,11 +200,12 @@ const getBasicAuthClient = ( | |||
}; | |||
|
|||
const getAWSClient = (credential: SigV4Content, clientOptions: ClientOptions): Client => { | |||
const { accessKey, secretKey, region, service } = credential; | |||
const { accessKey, secretKey, region, service, sessionToken } = credential; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would assume we need to use sts to generate the sessionToken, and since session token has limited time, we need to generate it every time we use the IAM cred, will it be addressed in a separate PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, right. But we are not providing any predefined auth methods in core data source plugin which will generate session token. But user can build their own auth method in plugin or any other component where they can use sts to generate the sessionToken and register auth methods and provides credentials using registerCredentialProvider but as I said in overview, while users can design their own credential provider, they rely on the data source plugin to authenticate requests and return the client. Therefore, it's important to add support for session tokens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, thanks!!!
Signed-off-by: Bandini Bhopi <[email protected]>
Signed-off-by: Bandini Bhopi <[email protected]>
ade9ac7
to
880c9e6
Compare
6d882c9
into
opensearch-project:main
* Adds session token for aws connection Signed-off-by: Bandini Bhopi <[email protected]> * Adds changelog Signed-off-by: Bandini Bhopi <[email protected]> --------- Signed-off-by: Bandini Bhopi <[email protected]> (cherry picked from commit 6d882c9) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
* Adds session token for aws connection Signed-off-by: Bandini Bhopi <[email protected]> * Adds changelog Signed-off-by: Bandini Bhopi <[email protected]> --------- Signed-off-by: Bandini Bhopi <[email protected]> (cherry picked from commit 6d882c9) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
* Adds session token for aws connection Signed-off-by: Bandini Bhopi <[email protected]> * Adds changelog Signed-off-by: Bandini Bhopi <[email protected]> --------- Signed-off-by: Bandini Bhopi <[email protected]> (cherry picked from commit 6d882c9) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
The new interface in the data source plugin, named registerCredentialProvider makes it easier for users to set up their own authentication methods and mechanism to fetch the credentials. This feature helps with role-based authentication, where users can create temporary AWS credentials, including session tokens. While users can design their own credential provider, they rely on the data source plugin to authenticate requests and return the client. Therefore, it's important to add support for session tokens.
Issues Resolved
Partially resolves #5838, #5696
Screenshot
Testing the changes
Check List
yarn test:jest
yarn test:jest_integration