Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a pure aws-sdk-go auth #4667

Merged
merged 6 commits into from
Feb 7, 2022
Merged

Add a pure aws-sdk-go auth #4667

merged 6 commits into from
Feb 7, 2022

Conversation

sylr
Copy link
Contributor

@sylr sylr commented Sep 16, 2021
edited
Loading

  • I added CHANGELOG entry for this change.
  • Change is not relevant to the end user.

Changes

Added an authentication method for S3 which uses the AWS SDK for go.

The AWS SDK handles more authentication methods than the minio-go lib, e.g:

/etc/thanos/thanos-storage.yml

type: S3
config:
  bucket: "thanos"
  endpoint: "s3.eu-central-1.amazonaws.com"
  aws_sdk_auth: true
  region: "eu-central-1"
  access_key: ""
  insecure: false
  signature_version2: false
  secret_key: ""
  sse_config:
    type: "SSE-KMS"
    kms_key_id: "arn:aws:kms:eu-central-1:99999999999:key/<uuid>"
    kms_encryption_context: {}
    encryption_key: ""

/etc/thanos/aws-config.ini

[profile prometheus]
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
role_arn = arn:aws:iam::111111111111111:role/EKSPrometheusRole

[profile thanos]
source_profile = prometheus
role_arn = arn:aws:iam::99999999999:role/EKSThanosRole

Env vars:

AWS_CONFIG_FILE=/etc/thanos/aws-config.ini
AWS_PROFILE=thanos
AWS_ARN_ROLE=arn:aws:iam::99999999999:role/EKSThanosRole

Here the thanos sidecar running alongside the prometheus container has an AWS session provided via a web identity token file (EKS IRSA feature) and the config file make it so that the thanos profile is configured to use the session from the prometheus profile to assume a role in a different account.

This allows to have cross AWS accounts connectivity without the need for access and secret keys (which are baaaaaad).

Verification

@sylr sylr marked this pull request as draft September 16, 2021 15:42
@sylr sylr marked this pull request as ready for review September 17, 2021 10:04
@sylr sylr mentioned this pull request Sep 21, 2021
Closed
@sylr sylr force-pushed the aws-sdk-auth branch 2 times, most recently from ddd4d2b to 1f874e6 Compare September 23, 2021 15:30
@sylr
Copy link
Contributor Author

sylr commented Nov 4, 2021

@bwplotka could you please review this ?

bwplotka
bwplotka reviewed Nov 15, 2021
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks! Well implemented in, but I am really curious if it's complex enough to import whole new complex module 🤔 I would add issue on minio-go too, so they are aware of this gap.

pkg/objstore/s3/s3_aws_sdk_auth.go Outdated Show resolved Hide resolved
pkg/objstore/s3/s3_aws_sdk_auth.go Outdated Show resolved Hide resolved
pkg/objstore/s3/s3_aws_sdk_auth.go
// NewAWSSDKAuth returns a pointer to a new Credentials object
// wrapping the environment variable provider.
func NewAWSSDKAuth(region string) *credentials.Credentials {
return credentials.New(&AWSSDKAuth{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is implementation that complex that is worth to import the aws-sdk-go?

Essentially we need to compare the maintenance work.

  • Is it better for us to copy (potentially tiny) code and maintain it? As far as I understand this, it's just taking correct environment variables, that's it?
  • Is it better to contribute such logic to minio-go?
  • Is it better to import whole aws-sdk-go (dependency hell)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used aws-sdk-go-v2 which contrary to the first aws-sdk-go has split modules for every services so we should import only what is required for the features we need.

It does much more than taking env vars.

It also leverage the well known AWS config files allowing to automatically assume roles based on other roles via the STS API. All that logic is well and consistently implemented across all AWS SDKs so I see no reason we should have our own implementation.

Copy link
Contributor

@V3ckt0r V3ckt0r Jan 13, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here is the LoadDefaultConfig credential chain we get by importing this.

1. Environment variables.
1.1 Static Credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)
1.2 Web Identity Token (AWS_WEB_IDENTITY_TOKEN_FILE)
2. Shared configuration files.
2.1 SDK defaults to credentials file under .aws folder that is placed in the home folder on your computer.
2.2 SDK defaults to config file under .aws folder that is placed in the home folder on your computer.
3. If your application uses an ECS task definition or RunTask API operation, IAM role for tasks.
4. If your application is running on an Amazon EC2 instance, IAM role for Amazon EC2.

pkg/objstore/s3/s3.go Show resolved Hide resolved
@sylr
Copy link
Contributor Author

sylr commented Nov 29, 2021

@bwplotka I'm about to fix the conflict, could we merge this before cutting 0.24.0-rc0 ?

@sylr
Copy link
Contributor Author

sylr commented Dec 8, 2021

@bwplotka ?

@sylr sylr requested a review from bwplotka December 14, 2021 14:29
wiardvanrij
wiardvanrij reviewed Dec 21, 2021
View reviewed changes
Copy link
Member

@wiardvanrij wiardvanrij left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sort of confident that if you don't use an access_key / secret_key and leave everything empty, you can just use it 'as is'. For example we use KIAM roles that places the AWS env vars and this just works out of the box. Without the need for the AWS SDK.

It feels this is an implementation for something that already works? I could however be completely missing a feature or point :)

If this is actually required to work with for example assumed roles (so you don't need KIAM), etc. I think it's actually worth to implement it.

docs/storage.md Outdated Show resolved Hide resolved
@sylr
Copy link
Contributor Author

sylr commented Dec 22, 2021

The purpose of this is indeed to allow Thanos to work with assumed roles based on all the mechanisms implemented in the AWS SDK.

@sylr
Copy link
Contributor Author

sylr commented Jan 8, 2022

Could we please merge this?

@GiedriusS
Copy link
Member

Added to my TODO list for reviewing

@V3ckt0r
Copy link
Contributor

V3ckt0r commented Jan 13, 2022

+1 for this. I have this exact usecase as @sylr

This allows to have cross AWS accounts connectivity without the need for access and secret keys (which are baaaaaad).

GiedriusS
GiedriusS previously approved these changes Feb 3, 2022
View reviewed changes
Copy link
Member

@GiedriusS GiedriusS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍 the logic sounds good to me in https://github.com/thanos-io/thanos/pull/4667/files#r749424917 🤔

@GiedriusS
Copy link
Member

Could you please rebase on main and add the DCO?

@sylr
Add a pure aws-sdk-go auth
41ae41a 
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
sylr and others added 2 commits February 3, 2022 10:08
@sylr
Upgrade github.com/aws/aws-sdk-go-v2
3b669dc 
Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
@GiedriusS
Update CHANGELOG.md
6b6a39f 
Signed-off-by: Giedrius Statkevičius <giedriuswork@gmail.com>
@sylr
Copy link
Contributor Author

sylr commented Feb 7, 2022

Is everything good for you @GiedriusS ?

GiedriusS
GiedriusS approved these changes Feb 7, 2022
View reviewed changes
Copy link
Member

@GiedriusS GiedriusS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@GiedriusS GiedriusS merged commit dffe6ed into thanos-io:main Feb 7, 2022
Nicholaswang pushed a commit to Nicholaswang/thanos that referenced this pull request Mar 6, 2022
@sylr @GiedriusS @Nicholaswang
Add a pure aws-sdk-go auth (thanos-io#4667)
cf92655 
* Add a pure aws-sdk-go auth

Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>

* Upgrade github.com/aws/aws-sdk-go-v2

Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>

* Update CHANGELOG.md

Signed-off-by: Giedrius Statkevičius <giedriuswork@gmail.com>

* Move s3 conf test in validate()

Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>

Co-authored-by: Giedrius Statkevičius <giedriuswork@gmail.com>
Signed-off-by: Nicholaswang <wzhever@gmail.com>
@pjastrzabek pjastrzabek mentioned this pull request May 12, 2022
Closed
@alvinlin123 alvinlin123 mentioned this pull request Oct 6, 2022
Merged
3 tasks
@aljoshare aljoshare mentioned this pull request Aug 1, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@V3ckt0r V3ckt0r V3ckt0r left review comments

@wiardvanrij wiardvanrij wiardvanrij left review comments

@GiedriusS GiedriusS GiedriusS approved these changes

@bwplotka bwplotka Awaiting requested review from bwplotka

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sylr @GiedriusS @V3ckt0r @wiardvanrij @bwplotka