Add AssumeRole support for EFS provider #215
Conversation
| @@ -61,13 +62,23 @@ func NewEFSProvider(config map[string]string) (blockstorage.Provider, error) { | |||
| return nil, errors.New("Account ID is empty") | |||
| } | |||
| accountID := *user.Account | |||
| efsCli := awsefs.New(s, aws.NewConfig().WithRegion(region)) | |||
| backupCli := backup.New(s, aws.NewConfig().WithRegion(region)) | |||
| creds := awsConfig.Credentials | |||
There was a problem hiding this comment.
@hakanmemisoglu - this makes sense to me i.e. adding the ability to accept an AWS role as an input and using that if specified - this is the direction we want to head in for all AWS operations.
@julio-lopez - second pair of eyes please? Some context on why we're adding this. Instead of creating a "test user" that has the credentials required - we've created a "customer permissions" role - that we will allow all users to assume. The EFS tests are the first one to use that functionality
There was a problem hiding this comment.
It seems that we should encapsulate the support for AWS roles as part of creating either the config or the session for AWS ops. This could be used for block and potentially object store operations as well.
For now, it may be enough to factor out the role-related functionality into a separate function, and then we can figure out how to generalize it. Thoughts?
|
This change looks good and makes sense to me. |
|
Blockstorage structs are mainly used by the structs in function package. These function structs are responsible for setting up the config. I think, as a next step, we should add EFS support in these functions. Config should be set up exactly how EBS is set up. As an additional step, we can also check Role information. If we find one, role argument should be passed to the provider. Right now, configuration building is done by checking credentials in profile and the info from PVC (in EBS case). We can add additional key-pair for AssumeRole ARN in credentials. Or we can add operation parameters to the whole process; so PVC info, secret credentials and operation parameters together will be sufficient to run Kanister ops (functions). |
| @@ -61,13 +62,23 @@ func NewEFSProvider(config map[string]string) (blockstorage.Provider, error) { | |||
| return nil, errors.New("Account ID is empty") | |||
| } | |||
| accountID := *user.Account | |||
| efsCli := awsefs.New(s, aws.NewConfig().WithRegion(region)) | |||
| backupCli := backup.New(s, aws.NewConfig().WithRegion(region)) | |||
| creds := awsConfig.Credentials | |||
There was a problem hiding this comment.
It seems that we should encapsulate the support for AWS roles as part of creating either the config or the session for AWS ops. This could be used for block and potentially object store operations as well.
For now, it may be enough to factor out the role-related functionality into a separate function, and then we can figure out how to generalize it. Thoughts?
Change Overview
Adds AssumeRole support for EFS provider.
Pull request type
Please check the type of change your PR introduces: