Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow specifying AWS role at runtime #81

Merged
merged 1 commit into from
Aug 9, 2021
Merged

Allow specifying AWS role at runtime #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 30 additions & 25 deletions src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@
import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
Expand Down Expand Up @@ -131,35 +131,16 @@ public AWSCredentials getCredentials() {
if (StringUtils.isBlank(iamRoleArn)) {
return initialCredentials;
} else {
// Check for available region from the SDK, otherwise specify default
String clientRegion = null;
DefaultAwsRegionProviderChain sdkRegionLookup = new DefaultAwsRegionProviderChain();
try {
clientRegion = sdkRegionLookup.getRegion();
} catch (RuntimeException e) {
LOGGER.log(Level.WARNING, "Could not find default region using SDK lookup.", e);
}
if (clientRegion == null) {
clientRegion = Regions.DEFAULT_REGION.getName();
}

ClientConfiguration clientConfiguration = getClientConfiguration();

AWSSecurityTokenService client;
AWSCredentialsProvider baseProvider;
// Handle the case of delegation to instance profile
if (StringUtils.isBlank(accessKey) && StringUtils.isBlank(secretKey.getPlainText())) {
client = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(clientRegion)
.withClientConfiguration(clientConfiguration)
.build();
baseProvider = null;
} else {
client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(initialCredentials))
.withRegion(clientRegion)
.withClientConfiguration(clientConfiguration)
.build();
baseProvider = new AWSStaticCredentialsProvider(initialCredentials);
}

AWSSecurityTokenService client = buildStsClient(baseProvider);

AssumeRoleRequest assumeRequest = createAssumeRoleRequest(iamRoleArn)
.withDurationSeconds(this.getStsTokenDuration());

Expand Down Expand Up @@ -200,6 +181,30 @@ public String getDisplayName() {
return accessKey + ":" + iamRoleArn;
}

/*package*/ static AWSSecurityTokenService buildStsClient(AWSCredentialsProvider provider) {
// Check for available region from the SDK, otherwise specify default
String clientRegion = null;
DefaultAwsRegionProviderChain sdkRegionLookup = new DefaultAwsRegionProviderChain();
try {
clientRegion = sdkRegionLookup.getRegion();
} catch(RuntimeException e) {
LOGGER.log(Level.WARNING, "Could not find default region using SDK lookup.", e);
}
if (clientRegion == null) {
clientRegion = Regions.DEFAULT_REGION.getName();
}

AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(clientRegion)
.withClientConfiguration(getClientConfiguration());

if (provider != null) {
builder = builder.withCredentials(provider);
}

return builder.build();
}

private static AssumeRoleRequest createAssumeRoleRequest(String iamRoleArn) {
return new AssumeRoleRequest()
.withRoleArn(iamRoleArn)
Expand Down
51 changes: 49 additions & 2 deletions ...ava/com/cloudbees/jenkins/plugins/awscredentials/AmazonWebServicesCredentialsBinding.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentialsProvider;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
Expand All @@ -39,6 +43,7 @@
import org.jenkinsci.plugins.credentialsbinding.MultiBinding;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;

import javax.annotation.Nonnull;
import java.io.IOException;
Expand All @@ -62,6 +67,10 @@ public class AmazonWebServicesCredentialsBinding extends MultiBinding<AmazonWebS
@NonNull
private final String secretKeyVariable;

private String roleArn;
private String roleSessionName;
private int roleSessionDurationSeconds;

/**
*
* @param accessKeyVariable if {@code null}, {@value DEFAULT_ACCESS_KEY_ID_VARIABLE_NAME} will be used.
Expand All @@ -85,14 +94,35 @@ public String getSecretKeyVariable() {
return secretKeyVariable;
}

@DataBoundSetter
public void setRoleArn(String roleArn) {
this.roleArn = roleArn;
}

@DataBoundSetter
public void setRoleSessionName(String roleSessionName) {
this.roleSessionName = roleSessionName;
}

@DataBoundSetter
public void setRoleSessionDurationSeconds(int roleSessionDurationSeconds) {
this.roleSessionDurationSeconds = roleSessionDurationSeconds;
}

@Override
protected Class<AmazonWebServicesCredentials> type() {
return AmazonWebServicesCredentials.class;
}

@Override
public MultiEnvironment bind(@Nonnull Run<?, ?> build, FilePath workspace, Launcher launcher, TaskListener listener) throws IOException, InterruptedException {
AWSCredentials credentials = getCredentials(build).getCredentials();
AWSCredentialsProvider provider = getCredentials(build);
if (!StringUtils.isEmpty(this.roleArn)) {
provider = this.assumeRoleProvider(provider);
}

AWSCredentials credentials = provider.getCredentials();

Map<String,String> m = new HashMap<String,String>();
m.put(accessKeyVariable, credentials.getAWSAccessKeyId());
m.put(secretKeyVariable, credentials.getAWSSecretKey());
Expand All @@ -104,9 +134,26 @@ public MultiEnvironment bind(@Nonnull Run<?, ?> build, FilePath workspace, Launc
return new MultiEnvironment(m);
}

private AWSSessionCredentialsProvider assumeRoleProvider(AWSCredentialsProvider baseProvider) {
AWSSecurityTokenService stsClient = AWSCredentialsImpl.buildStsClient(baseProvider);

String roleSessionName = StringUtils.defaultIfBlank(this.roleSessionName, "Jenkins");

STSAssumeRoleSessionCredentialsProvider.Builder assumeRoleProviderBuilder =
new STSAssumeRoleSessionCredentialsProvider.Builder(this.roleArn, roleSessionName)
.withStsClient(stsClient);

if (this.roleSessionDurationSeconds > 0) {
assumeRoleProviderBuilder = assumeRoleProviderBuilder
.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
}
Comment on lines +144 to +149
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might have a problem here.
The setter requires a value between 900 and 3600, or it throws an IllegalArgumentException. But we are not checking this.
However, the STSAssumeRoleSessionCredentialsProvider constructor will use DEFAULT_DURATION_SECONDS (900) if the value is equal to 0.

I would suggest to either have a doCheckX method in the descriptor to validate that the duration is truly between 900 and 3600. You can even have the default value to 900. This would not be used in pipeline setup.
Or you need to change the condition here.

(option 1)

Suggested change
.withStsClient(stsClient);
if (this.roleSessionDurationSeconds > 0) {
assumeRoleProviderBuilder = assumeRoleProviderBuilder
.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
}
.withStsClient(stsClient)
.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);

(option 2)

Suggested change
.withStsClient(stsClient);
if (this.roleSessionDurationSeconds > 0) {
assumeRoleProviderBuilder = assumeRoleProviderBuilder
.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
}
.withStsClient(stsClient);
if (this.roleSessionDurationSeconds >= 900 && this.roleSessionDurationSeconds <= 3600) {
assumeRoleProviderBuilder = assumeRoleProviderBuilder
.withRoleSessionDurationSeconds(this.roleSessionDurationSeconds);
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My intent was to let the bounds just be controlled by the AWS SDK so that you don't have to keep the two in sync. (For example, a newer version of the SDK might change it so you can assume a role for up to 2 hours.) Similarly, I think it makes more sense to allow the default value to be chosen by the SDK, as it currently is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand. The problem is that the "check" will be done by the library which throws an exception. I'm not sure this is the most clear way to handle the situation for users.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little confused. What exactly would we do in this code if the role session duration is out of bounds other than throw an exception ourselves?


return assumeRoleProviderBuilder.build();
}

@Override
public Set<String> variables() {
return new HashSet<String>(Arrays.asList(accessKeyVariable, secretKeyVariable));
return new HashSet<String>(Arrays.asList(accessKeyVariable, secretKeyVariable, SESSION_TOKEN_VARIABLE_NAME));
}

@Symbol("aws")
Expand Down