From 2833e1bcbf7ffcd5d8990a6f77929a9e720cc7e1 Mon Sep 17 00:00:00 2001 From: Yonah Dissen Date: Mon, 15 Nov 2021 12:05:52 +0200 Subject: [PATCH 1/4] assume role --- README.md | 3 ++- config/config.go | 1 + sessions/sessions.go | 38 +++++++++++++++++++++++++++++++------- 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index db1591d7..7f5caade 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ instances: instance: rds-mysql57 aws_access_key: AKIAIOSFODNN7EXAMPLE aws_secret_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + aws_role_arn: arn:aws:iam::76784568345:role/my-role disable_basic_metrics: true disable_enhanced_metrics: false labels: @@ -31,7 +32,7 @@ instances: baz: qux ``` -If `aws_access_key` and `aws_secret_key` are present, they are used for that instance. +If `aws_role_arn` is present it will assume role otherwise if `aws_access_key` and `aws_secret_key` are present, they are used for that instance. Otherwise, [default credential provider chain](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) is used, which includes `AWS_ACCESS_KEY_ID`/`AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY`/`AWS_SECRET_KEY` environment variables, `~/.aws/credentials` file, and IAM role for EC2. diff --git a/config/config.go b/config/config.go index 2948ca31..2048e955 100644 --- a/config/config.go +++ b/config/config.go @@ -22,6 +22,7 @@ type Instance struct { Instance string `yaml:"instance"` AWSAccessKey string `yaml:"aws_access_key"` // may be empty AWSSecretKey string `yaml:"aws_secret_key"` // may be empty + AWSRoleARN string `yaml:"aws_role_arn"` // may be empty DisableBasicMetrics bool `yaml:"disable_basic_metrics"` DisableEnhancedMetrics bool `yaml:"disable_enhanced_metrics"` Labels map[string]string `yaml:"labels"` // may be empty diff --git a/sessions/sessions.go b/sessions/sessions.go index cf49e8c0..e615092b 100644 --- a/sessions/sessions.go +++ b/sessions/sessions.go @@ -12,6 +12,7 @@ import ( "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/rds" "github.com/prometheus/common/log" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/percona/rds_exporter/config" ) @@ -65,13 +66,11 @@ func New(instances []config.Instance, client *http.Client, trace bool) (*Session // use given credentials, or default credential chain var creds *credentials.Credentials - if instance.AWSAccessKey != "" || instance.AWSSecretKey != "" { - creds = credentials.NewCredentials(&credentials.StaticProvider{ - Value: credentials.Value{ - AccessKeyID: instance.AWSAccessKey, - SecretAccessKey: instance.AWSSecretKey, - }, - }) + + creds, err := buildCredentials(instance) + + if err != nil { + return nil, err } // make config with careful logging @@ -180,6 +179,31 @@ func (s *Sessions) GetSession(region, instance string) (*session.Session, *Insta return nil, nil } +func buildCredentials(instance config.Instance) (*credentials.Credentials, error) { + if instance.AWSRoleARN != "" { + os.Setenv("AWS_ACCESS_KEY_ID", instance.AWSAccessKey) + os.Setenv("AWS_SECRET_ACCESS_KEY", instance.AWSSecretKey) + + stsSession, err := session.NewSession(&aws.Config{ + Region: aws.String(instance.Region), + }) + if err != nil { + return nil, err + } + + return stscreds.NewCredentials(stsSession, instance.AWSRoleARN), nil + } + if instance.AWSAccessKey != "" || instance.AWSSecretKey != "" { + return credentials.NewCredentials(&credentials.StaticProvider{ + Value: credentials.Value{ + AccessKeyID: instance.AWSAccessKey, + SecretAccessKey: instance.AWSSecretKey, + }, + }), nil + } + return nil, nil +} + // AllSessions returns all sessions and instances. func (s *Sessions) AllSessions() map[*session.Session][]Instance { return s.sessions From d98de57479fc820c971c6e39fe24384668345ac4 Mon Sep 17 00:00:00 2001 From: Yonah Dissen Date: Wed, 24 Nov 2021 22:13:22 +0200 Subject: [PATCH 2/4] move credentials into session --- sessions/sessions.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sessions/sessions.go b/sessions/sessions.go index e615092b..3adff8b8 100644 --- a/sessions/sessions.go +++ b/sessions/sessions.go @@ -181,11 +181,9 @@ func (s *Sessions) GetSession(region, instance string) (*session.Session, *Insta func buildCredentials(instance config.Instance) (*credentials.Credentials, error) { if instance.AWSRoleARN != "" { - os.Setenv("AWS_ACCESS_KEY_ID", instance.AWSAccessKey) - os.Setenv("AWS_SECRET_ACCESS_KEY", instance.AWSSecretKey) - stsSession, err := session.NewSession(&aws.Config{ Region: aws.String(instance.Region), + Credentials: credentials.NewStaticCredentials(instance.AWSAccessKey,instance.AWSSecretKey, ""), }) if err != nil { return nil, err From 8c60977cde006f9efe6569c1c22117cdc45d9c79 Mon Sep 17 00:00:00 2001 From: Yonah Dissen Date: Mon, 29 Nov 2021 11:14:54 +0200 Subject: [PATCH 3/4] gofmt --- sessions/sessions.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sessions/sessions.go b/sessions/sessions.go index 3adff8b8..8c321b85 100644 --- a/sessions/sessions.go +++ b/sessions/sessions.go @@ -9,10 +9,10 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/rds" "github.com/prometheus/common/log" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/percona/rds_exporter/config" ) @@ -180,16 +180,16 @@ func (s *Sessions) GetSession(region, instance string) (*session.Session, *Insta } func buildCredentials(instance config.Instance) (*credentials.Credentials, error) { - if instance.AWSRoleARN != "" { + if instance.AWSRoleArn != "" { stsSession, err := session.NewSession(&aws.Config{ - Region: aws.String(instance.Region), - Credentials: credentials.NewStaticCredentials(instance.AWSAccessKey,instance.AWSSecretKey, ""), + Region: aws.String(instance.Region), + Credentials: credentials.NewStaticCredentials(instance.AWSAccessKey, instance.AWSSecretKey, ""), }) if err != nil { return nil, err } - return stscreds.NewCredentials(stsSession, instance.AWSRoleARN), nil + return stscreds.NewCredentials(stsSession, instance.AWSRoleArn), nil } if instance.AWSAccessKey != "" || instance.AWSSecretKey != "" { return credentials.NewCredentials(&credentials.StaticProvider{ From 02861262e5168a44fdde020c165b944c64394a7e Mon Sep 17 00:00:00 2001 From: Yonah Dissen Date: Mon, 29 Nov 2021 11:53:31 +0200 Subject: [PATCH 4/4] gofmt --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 2048e955..538732a7 100644 --- a/config/config.go +++ b/config/config.go @@ -22,7 +22,7 @@ type Instance struct { Instance string `yaml:"instance"` AWSAccessKey string `yaml:"aws_access_key"` // may be empty AWSSecretKey string `yaml:"aws_secret_key"` // may be empty - AWSRoleARN string `yaml:"aws_role_arn"` // may be empty + AWSRoleArn string `yaml:"aws_role_arn"` // may be empty DisableBasicMetrics bool `yaml:"disable_basic_metrics"` DisableEnhancedMetrics bool `yaml:"disable_enhanced_metrics"` Labels map[string]string `yaml:"labels"` // may be empty