From dd11da569626d540a5b05eb90e3b083e1984dd25 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Mon, 27 Jul 2020 19:30:00 +1000 Subject: [PATCH 01/14] #46 #44 #40 --- CHANGELOG.md | 7 +++ .../plugin_mixins/aws_config/generic.rb | 4 ++ lib/logstash/plugin_mixins/aws_config/v2.rb | 49 ++++++++++++------- logstash-mixin-aws.gemspec | 2 +- spec/plugin_mixin/aws_config_spec.rb | 2 +- 5 files changed, 44 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53d3191..c8b524a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +## Unreleased + - Add external_id Attribute option for AWS AssumeRole V2 #46 + - Update aws-sdk dependency to '~ 2.11' + - Update aws-SDK to '~> 2.11' + - Changed logic to enable AssumeRole to work when not on AWS ec2, in addition to original code that used IAM of ec2 vm V2 #44 + - Added HTTP_Proxy option for Assume Role V2 #40 + ## 4.3.0 - Drop strict value validation for region option #36 - Add endpoint option to customize the endpoint uri #32 diff --git a/lib/logstash/plugin_mixins/aws_config/generic.rb b/lib/logstash/plugin_mixins/aws_config/generic.rb index d307bc7..5a1845e 100644 --- a/lib/logstash/plugin_mixins/aws_config/generic.rb +++ b/lib/logstash/plugin_mixins/aws_config/generic.rb @@ -33,6 +33,10 @@ def generic_aws_config # This is used to generate temporary credentials typically for cross-account access. # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information. config :role_arn, :validate => :string + + # The AWS external_Id to present with the IAM ROle, if any + # Some configurations of Assume Role require an external id to use when assuming an IAM role + config :external_id, :validate => :string # Session name to use when assuming an IAM role config :role_session_name, :validate => :string, :default => "logstash" diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 21cab04..3089250 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -37,32 +37,45 @@ def aws_options_hash private def credentials @creds ||= begin - if @access_key_id && @secret_access_key + #This part will process just an AWS IAM or the AWS IAM required before moving onto Assuming role + if @access_key_id && @secret_access_key credentials_opts = { :access_key_id => @access_key_id, :secret_access_key => @secret_access_key.value } - - credentials_opts[:session_token] = @session_token.value if @session_token - Aws::Credentials.new(credentials_opts[:access_key_id], + if @session_token + credentials_opts[:session_token] = @session_token.value + end + Aws::Credentials.new(credentials_opts[:access_key_id], credentials_opts[:secret_access_key], credentials_opts[:session_token]) - elsif @aws_credentials_file - credentials_opts = YAML.load_file(@aws_credentials_file) - Aws::Credentials.new(credentials_opts[:access_key_id], + elsif @aws_credentials_file + credentials_opts = YAML.load_file(@aws_credentials_file) + Aws::Credentials.new(credentials_opts[:access_key_id], credentials_opts[:secret_access_key], credentials_opts[:session_token]) - elsif @role_arn - assume_role - end - end + end + #assume_role scenarios with or without external_id and http Proxy. external_id does require other code changes + if @role_arn && @role_session_name && @external_id && @proxy_uri + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(:region => @region, :http_proxy => @proxy_uri), + :role_arn => @role_arn, + :role_session_name => @role_session_name, + :external_id => @external_id) + elsif @role_arn && @role_session_name && @external_id + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(:region => @region), + :role_arn => @role_arn, + :role_session_name => @role_session_name, + :external_id => @external_id) + elsif @role_arn && @role_session_name + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(:region => @region), + :role_arn => @role_arn, + :role_session_name => @role_session_name) + end + end end - def assume_role - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:region => @region), - :role_arn => @role_arn, - :role_session_name => @role_session_name - ) - end + end diff --git a/logstash-mixin-aws.gemspec b/logstash-mixin-aws.gemspec index ff2f224..a35519f 100644 --- a/logstash-mixin-aws.gemspec +++ b/logstash-mixin-aws.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99" s.add_runtime_dependency 'logstash-codec-plain' s.add_runtime_dependency 'aws-sdk-v1', '>= 1.61.0' - s.add_runtime_dependency 'aws-sdk', '~> 2' + s.add_runtime_dependency 'aws-sdk', '~> 2.11' s.add_development_dependency 'logstash-devutils' s.add_development_dependency 'timecop' end diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index f45eb61..89376ba 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -138,7 +138,7 @@ def aws_service_endpoint(region) end context 'role arn is provided' do - let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2' } } + let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2','external_id' => 'externalid' } } let(:sts_double) { instance_double(Aws::STS::Client) } let(:now) { Time.now } let(:expiration) { Time.at(now.to_i + 3600) } From 600719f5cf9dd623b0753ffe7d6df58d732c3091 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 07:07:43 +1000 Subject: [PATCH 02/14] changes to spec for test failures --- spec/plugin_mixin/aws_config_spec.rb | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index 89376ba..b29f57a 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -112,8 +112,7 @@ def aws_service_endpoint(region) let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } } it 'should support reading configuration from a yaml file' do - expect(subject.access_key_id).to eq("1234") - expect(subject.secret_access_key).to eq("secret") + expect(subject).to include(:access_key_id => "1234", :secret_access_key => "secret") end end @@ -122,9 +121,11 @@ def aws_service_endpoint(region) let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token' } } it "should support passing as key, value, and session_token" do - expect(subject.access_key_id).to eq(settings['access_key_id']) - expect(subject.secret_access_key).to eq(settings['secret_access_key']) - expect(subject.session_token).to eq(settings['session_token']) + expect(subject[:access_key_id]).to eq(settings["access_key_id"]) + expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"]) + expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"]) + expect(subject[:session_token]).to_not eq(settings["session_token"]) + expect(subject[:session_token].value).to eq(settings["session_token"]) end end @@ -132,8 +133,9 @@ def aws_service_endpoint(region) let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret' } } it 'should support passing credentials as key, value' do - expect(subject.access_key_id).to eq(settings['access_key_id']) - expect(subject.secret_access_key).to eq(settings['secret_access_key']) + expect(subject[:access_key_id]).to eq(settings["access_key_id"]) + expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"]) + expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"]) end end From 60770c408594a523e0bfeb4a32cd48abe582960b Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 07:20:12 +1000 Subject: [PATCH 03/14] Testing spec update --- spec/plugin_mixin/aws_config_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index b29f57a..9570d07 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -106,7 +106,7 @@ def aws_service_endpoint(region) subject { DummyInputAwsConfigV2.new(settings).aws_options_hash } describe 'config credential' do - subject { DummyInputAwsConfigV2.new(settings).aws_options_hash[:credentials] } + # subject { DummyInputAwsConfigV2.new(settings).aws_options_hash[:credentials] } context 'in credential file' do let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } } From 12152cadf755d1b790cbde32be6df59cb60262a7 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 08:56:14 +1000 Subject: [PATCH 04/14] testing --- lib/logstash/plugin_mixins/aws_config/v2.rb | 6 +++--- spec/plugin_mixin/aws_config_spec.rb | 18 ++++++++---------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 3089250..55f7e33 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -56,19 +56,19 @@ def credentials credentials_opts[:session_token]) end #assume_role scenarios with or without external_id and http Proxy. external_id does require other code changes - if @role_arn && @role_session_name && @external_id && @proxy_uri + if @role_arn && @external_id && @proxy_uri Aws::AssumeRoleCredentials.new( :client => Aws::STS::Client.new(:region => @region, :http_proxy => @proxy_uri), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) - elsif @role_arn && @role_session_name && @external_id + elsif @role_arn && @external_id Aws::AssumeRoleCredentials.new( :client => Aws::STS::Client.new(:region => @region), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) - elsif @role_arn && @role_session_name + elsif @role_arn Aws::AssumeRoleCredentials.new( :client => Aws::STS::Client.new(:region => @region), :role_arn => @role_arn, diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index 9570d07..89376ba 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -106,13 +106,14 @@ def aws_service_endpoint(region) subject { DummyInputAwsConfigV2.new(settings).aws_options_hash } describe 'config credential' do - # subject { DummyInputAwsConfigV2.new(settings).aws_options_hash[:credentials] } + subject { DummyInputAwsConfigV2.new(settings).aws_options_hash[:credentials] } context 'in credential file' do let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } } it 'should support reading configuration from a yaml file' do - expect(subject).to include(:access_key_id => "1234", :secret_access_key => "secret") + expect(subject.access_key_id).to eq("1234") + expect(subject.secret_access_key).to eq("secret") end end @@ -121,11 +122,9 @@ def aws_service_endpoint(region) let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token' } } it "should support passing as key, value, and session_token" do - expect(subject[:access_key_id]).to eq(settings["access_key_id"]) - expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"]) - expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"]) - expect(subject[:session_token]).to_not eq(settings["session_token"]) - expect(subject[:session_token].value).to eq(settings["session_token"]) + expect(subject.access_key_id).to eq(settings['access_key_id']) + expect(subject.secret_access_key).to eq(settings['secret_access_key']) + expect(subject.session_token).to eq(settings['session_token']) end end @@ -133,9 +132,8 @@ def aws_service_endpoint(region) let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret' } } it 'should support passing credentials as key, value' do - expect(subject[:access_key_id]).to eq(settings["access_key_id"]) - expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"]) - expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"]) + expect(subject.access_key_id).to eq(settings['access_key_id']) + expect(subject.secret_access_key).to eq(settings['secret_access_key']) end end From 64a2ca6444847dcb914b64d62a5e4f5bbbfdf9b1 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 09:36:06 +1000 Subject: [PATCH 05/14] testing --- spec/plugin_mixin/aws_config_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index 89376ba..79dfa38 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -112,8 +112,8 @@ def aws_service_endpoint(region) let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } } it 'should support reading configuration from a yaml file' do - expect(subject.access_key_id).to eq("1234") - expect(subject.secret_access_key).to eq("secret") + expect(subject).to include({access_key_id => "1234"}) + expect(subject).to include({:secret_access_key => "secret"}) end end From 5f58b5496673e376885003c366e2b69ef22329d9 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 09:42:33 +1000 Subject: [PATCH 06/14] testing --- spec/plugin_mixin/aws_config_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index 79dfa38..ff6ee59 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -112,7 +112,7 @@ def aws_service_endpoint(region) let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } } it 'should support reading configuration from a yaml file' do - expect(subject).to include({access_key_id => "1234"}) + expect(subject).to include({:access_key_id => "1234"}) expect(subject).to include({:secret_access_key => "secret"}) end end From c4ab218faa043d46d0c818a21e3ffe5e71ea2799 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 10:52:16 +1000 Subject: [PATCH 07/14] test logic change --- lib/logstash/plugin_mixins/aws_config/v2.rb | 51 +++++++++++---------- spec/plugin_mixin/aws_config_spec.rb | 4 +- 2 files changed, 29 insertions(+), 26 deletions(-) diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 55f7e33..5a08860 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -37,43 +37,46 @@ def aws_options_hash private def credentials @creds ||= begin - #This part will process just an AWS IAM or the AWS IAM required before moving onto Assuming role - if @access_key_id && @secret_access_key - credentials_opts = { - :access_key_id => @access_key_id, - :secret_access_key => @secret_access_key.value - } - if @session_token - credentials_opts[:session_token] = @session_token.value - end - Aws::Credentials.new(credentials_opts[:access_key_id], - credentials_opts[:secret_access_key], - credentials_opts[:session_token]) - elsif @aws_credentials_file - credentials_opts = YAML.load_file(@aws_credentials_file) - Aws::Credentials.new(credentials_opts[:access_key_id], - credentials_opts[:secret_access_key], - credentials_opts[:session_token]) + if @session_token + credentials_opts[:session_token] = @session_token.value end - #assume_role scenarios with or without external_id and http Proxy. external_id does require other code changes - if @role_arn && @external_id && @proxy_uri + if @role_arn && @external_id && @proxy_uri && @access_key_id && @secret_access_key Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:region => @region, :http_proxy => @proxy_uri), + :client => Aws::STS::Client.new(:access_key_id => @access_key_id, + :secret_access_key => @secret_access_key, + :region => @region, + :http_proxy => @proxy_uri), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) - elsif @role_arn && @external_id + elsif @role_arn && @external_id && @access_key_id && @secret_access_key Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:region => @region), + :client => Aws::STS::Client.new(:access_key_id => @access_key_id, + :secret_access_key => @secret_access_key, + :region => @region), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) - elsif @role_arn + elsif @role_arn && @proxy_uri Aws::AssumeRoleCredentials.new( :client => Aws::STS::Client.new(:region => @region), :role_arn => @role_arn, :role_session_name => @role_session_name) - end + elsif @role_arn + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(:region => @region), + :role_arn => @role_arn, + :role_session_name => @role_session_name) + elsif @access_key_id && @secret_access_key + Aws::Credentials.new(:access_key_id => @access_key_id, + :secret_access_key => @secret_access_key, + :session_token => @session_token) + elsif @aws_credentials_file + credentials_opts = YAML.load_file(@aws_credentials_file) + Aws::Credentials.new(:access_key_id => @access_key_id, + :secret_access_key => @secret_access_key, + :session_token => @session_token) + end end end diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index ff6ee59..89376ba 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -112,8 +112,8 @@ def aws_service_endpoint(region) let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } } it 'should support reading configuration from a yaml file' do - expect(subject).to include({:access_key_id => "1234"}) - expect(subject).to include({:secret_access_key => "secret"}) + expect(subject.access_key_id).to eq("1234") + expect(subject.secret_access_key).to eq("secret") end end From b49bf5c441c79ed1f3d643a07eea67d23c707b28 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 11:04:23 +1000 Subject: [PATCH 08/14] typo fxes --- lib/logstash/plugin_mixins/aws_config/v2.rb | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 5a08860..5f02d4b 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -42,18 +42,13 @@ def credentials end if @role_arn && @external_id && @proxy_uri && @access_key_id && @secret_access_key Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:access_key_id => @access_key_id, - :secret_access_key => @secret_access_key, - :region => @region, - :http_proxy => @proxy_uri), + :client => Aws::STS::Client.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :region => @region, :http_proxy => @proxy_uri), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) elsif @role_arn && @external_id && @access_key_id && @secret_access_key Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:access_key_id => @access_key_id, - :secret_access_key => @secret_access_key, - :region => @region), + :client => Aws::STS::Client.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :region => @region), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) @@ -68,14 +63,10 @@ def credentials :role_arn => @role_arn, :role_session_name => @role_session_name) elsif @access_key_id && @secret_access_key - Aws::Credentials.new(:access_key_id => @access_key_id, - :secret_access_key => @secret_access_key, - :session_token => @session_token) + Aws::Credentials.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :session_token => @session_token) elsif @aws_credentials_file credentials_opts = YAML.load_file(@aws_credentials_file) - Aws::Credentials.new(:access_key_id => @access_key_id, - :secret_access_key => @secret_access_key, - :session_token => @session_token) + Aws::Credentials.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :session_token => @session_token) end end end From 706d3448e96d68cf97187dda20f4cd50aeaf19e5 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Tue, 28 Jul 2020 11:44:12 +1000 Subject: [PATCH 09/14] revert changes --- .../plugin_mixins/aws_config/generic.rb | 3 +- lib/logstash/plugin_mixins/aws_config/v2.rb | 54 +++++++++---------- spec/plugin_mixin/aws_config_spec.rb | 6 +-- 3 files changed, 31 insertions(+), 32 deletions(-) diff --git a/lib/logstash/plugin_mixins/aws_config/generic.rb b/lib/logstash/plugin_mixins/aws_config/generic.rb index 5a1845e..1660f5a 100644 --- a/lib/logstash/plugin_mixins/aws_config/generic.rb +++ b/lib/logstash/plugin_mixins/aws_config/generic.rb @@ -34,8 +34,7 @@ def generic_aws_config # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information. config :role_arn, :validate => :string - # The AWS external_Id to present with the IAM ROle, if any - # Some configurations of Assume Role require an external id to use when assuming an IAM role + #external id to use when assuming an IAM role config :external_id, :validate => :string # Session name to use when assuming an IAM role diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 5f02d4b..398c816 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -37,39 +37,39 @@ def aws_options_hash private def credentials @creds ||= begin - if @session_token - credentials_opts[:session_token] = @session_token.value + if @access_key_id && @secret_access_key + credentials_opts = { + :access_key_id => @access_key_id, + :secret_access_key => @secret_access_key.value + } + if @session_token + credentials_opts[:session_token] = @session_token.value + end + Aws::Credentials.new(credentials_opts[:access_key_id], + credentials_opts[:secret_access_key], + credentials_opts[:session_token]) + elsif @aws_credentials_file + credentials_opts = YAML.load_file(@aws_credentials_file) + Aws::Credentials.new(credentials_opts[:access_key_id], + credentials_opts[:secret_access_key], + credentials_opts[:session_token]) end - if @role_arn && @external_id && @proxy_uri && @access_key_id && @secret_access_key - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :region => @region, :http_proxy => @proxy_uri), - :role_arn => @role_arn, - :role_session_name => @role_session_name, - :external_id => @external_id) - elsif @role_arn && @external_id && @access_key_id && @secret_access_key + if @role_arn && @role_session_name + #assume_role Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :region => @region), + :client => Aws::STS::Client.new(:region => @region), :role_arn => @role_arn, :role_session_name => @role_session_name, :external_id => @external_id) - elsif @role_arn && @proxy_uri - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:region => @region), - :role_arn => @role_arn, - :role_session_name => @role_session_name) - elsif @role_arn - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:region => @region), - :role_arn => @role_arn, - :role_session_name => @role_session_name) - elsif @access_key_id && @secret_access_key - Aws::Credentials.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :session_token => @session_token) - elsif @aws_credentials_file - credentials_opts = YAML.load_file(@aws_credentials_file) - Aws::Credentials.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :session_token => @session_token) - end + end end end - + def assume_role + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :region => @region), + :role_arn => @role_arn, + :role_session_name => @role_session_name, + :external_id => @external_id) + end end diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index 89376ba..9d8a261 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -41,9 +41,9 @@ def aws_service_endpoint(region) context 'inline' do context 'temporary credential' do - let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token' } } + let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token'} } - it "should support passing as key, value, and session_token" do + it "should support passing as key, value and session_token" do expect(subject[:access_key_id]).to eq(settings["access_key_id"]) expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"]) expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"]) @@ -138,7 +138,7 @@ def aws_service_endpoint(region) end context 'role arn is provided' do - let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2','external_id' => 'externalid' } } + let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2','external_id' => 'external_id' } } let(:sts_double) { instance_double(Aws::STS::Client) } let(:now) { Time.now } let(:expiration) { Time.at(now.to_i + 3600) } From f0d1a7d4047bc85153563b0f884f2ea7233f8937 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Wed, 29 Jul 2020 03:03:02 +0000 Subject: [PATCH 10/14] fixed v1 --- lib/logstash/plugin_mixins/aws_config/v2.rb | 22 ++++++++++++--------- logstash-mixin-aws.gemspec | 2 +- spec/plugin_mixin/aws_config_spec.rb | 4 ++++ 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 398c816..2dc1a1f 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -37,7 +37,18 @@ def aws_options_hash private def credentials @creds ||= begin - if @access_key_id && @secret_access_key + if @role_arn && @role_session_name + #assume_role + credentials_opts = { + :access_key_id => @access_key_id, + :secret_access_key => @secret_access_key.value + } + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(access_key_id: @access_key_id, secret_access_key: @secret_access_key.value, region: @region), + :role_arn => @role_arn, + :role_session_name => @role_session_name, + :external_id => @external_id) + elsif @access_key_id && @secret_access_key credentials_opts = { :access_key_id => @access_key_id, :secret_access_key => @secret_access_key.value @@ -54,14 +65,7 @@ def credentials credentials_opts[:secret_access_key], credentials_opts[:session_token]) end - if @role_arn && @role_session_name - #assume_role - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:region => @region), - :role_arn => @role_arn, - :role_session_name => @role_session_name, - :external_id => @external_id) - end + end end diff --git a/logstash-mixin-aws.gemspec b/logstash-mixin-aws.gemspec index a35519f..fd1fc64 100644 --- a/logstash-mixin-aws.gemspec +++ b/logstash-mixin-aws.gemspec @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = 'logstash-mixin-aws' - s.version = '4.3.0' + s.version = '4.5.0' s.licenses = ['Apache License (2.0)'] s.summary = "AWS mixins to provide a unified interface for Amazon Webservice" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb index 9d8a261..36953a2 100644 --- a/spec/plugin_mixin/aws_config_spec.rb +++ b/spec/plugin_mixin/aws_config_spec.rb @@ -1,4 +1,8 @@ # encoding: utf-8 +#$LOAD_PATH.unshift(File.expand_path(File.join(__FILE__, "..","..","..","lib" ))) +#require "bootstrap/environment" +#Gem.use_paths(LogStash::Environment.logstash_gem_home) + require "logstash/devutils/rspec/spec_helper" require "logstash/plugin_mixins/aws_config" require 'aws-sdk' From d4a49da702a83a5cb2236daaa8364f6b72b74241 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Wed, 29 Jul 2020 03:32:21 +0000 Subject: [PATCH 11/14] Fixed --- lib/logstash/plugin_mixins/aws_config/v2.rb | 44 ++++++++++----------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb index 2dc1a1f..8a15a77 100644 --- a/lib/logstash/plugin_mixins/aws_config/v2.rb +++ b/lib/logstash/plugin_mixins/aws_config/v2.rb @@ -37,22 +37,26 @@ def aws_options_hash private def credentials @creds ||= begin - if @role_arn && @role_session_name - #assume_role + if @role_arn && @role_session_name && @access_key_id && @secret_access_key + #assume_role providing all IAM for cross account in conf + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new(access_key_id: @access_key_id, secret_access_key: @secret_access_key.value, region: @region, http_proxy: @proxy_uri), + :role_arn => @role_arn, + :role_session_name => @role_session_name, + :external_id => @external_id) + elsif @role_arn && @role_session_name + #assume_role providing only ARN in conf and using AWS credential as per SDK search order + Aws::AssumeRoleCredentials.new( + :client => Aws::STS::Client.new( region: @region), + :role_arn => @role_arn, + :role_session_name => @role_session_name, + :external_id => @external_id) + elsif @access_key_id && @secret_access_key + #straight IAM from conf file credentials_opts = { :access_key_id => @access_key_id, :secret_access_key => @secret_access_key.value - } - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(access_key_id: @access_key_id, secret_access_key: @secret_access_key.value, region: @region), - :role_arn => @role_arn, - :role_session_name => @role_session_name, - :external_id => @external_id) - elsif @access_key_id && @secret_access_key - credentials_opts = { - :access_key_id => @access_key_id, - :secret_access_key => @secret_access_key.value - } + } if @session_token credentials_opts[:session_token] = @session_token.value end @@ -60,20 +64,14 @@ def credentials credentials_opts[:secret_access_key], credentials_opts[:session_token]) elsif @aws_credentials_file - credentials_opts = YAML.load_file(@aws_credentials_file) - Aws::Credentials.new(credentials_opts[:access_key_id], + #load IAM details from file + credentials_opts = YAML.load_file(@aws_credentials_file) + Aws::Credentials.new(credentials_opts[:access_key_id], credentials_opts[:secret_access_key], credentials_opts[:session_token]) end end end - - def assume_role - Aws::AssumeRoleCredentials.new( - :client => Aws::STS::Client.new(:access_key_id => @access_key_id, :secret_access_key => @secret_access_key, :region => @region), - :role_arn => @role_arn, - :role_session_name => @role_session_name, - :external_id => @external_id) - end + end From be231b95c754b2695667ca732f5f471e4234750e Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Wed, 29 Jul 2020 04:09:44 +0000 Subject: [PATCH 12/14] updated Changelog and gemspec --- CHANGELOG.md | 5 +++-- logstash-mixin-aws.gemspec | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8b524a..9f87749 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,9 @@ ## Unreleased - - Add external_id Attribute option for AWS AssumeRole V2 #46 + - Added new functionality to enable using external_id Attribute option for AWS AssumeRole V2 #46 - Update aws-sdk dependency to '~ 2.11' - Update aws-SDK to '~> 2.11' - - Changed logic to enable AssumeRole to work when not on AWS ec2, in addition to original code that used IAM of ec2 vm V2 #44 + - Changed logic to enable AssumeRole to work when not on AWS ec2 and when config provides access key and secret #44 + - Incorporated HTTP_Proxy attribute as well from branch #41 - Added HTTP_Proxy option for Assume Role V2 #40 ## 4.3.0 diff --git a/logstash-mixin-aws.gemspec b/logstash-mixin-aws.gemspec index fd1fc64..518e01f 100644 --- a/logstash-mixin-aws.gemspec +++ b/logstash-mixin-aws.gemspec @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = 'logstash-mixin-aws' - s.version = '4.5.0' + s.version = '4.4.0' s.licenses = ['Apache License (2.0)'] s.summary = "AWS mixins to provide a unified interface for Amazon Webservice" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" From 4fa5291a7ad7043e70227eefed9088bd0c127dd4 Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Wed, 29 Jul 2020 04:19:54 +0000 Subject: [PATCH 13/14] finished --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f87749..d2efa77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - Update aws-SDK to '~> 2.11' - Changed logic to enable AssumeRole to work when not on AWS ec2 and when config provides access key and secret #44 - Incorporated HTTP_Proxy attribute as well from branch #41 - - Added HTTP_Proxy option for Assume Role V2 #40 + - Added HTTP_Proxy option for Assume Role V2 #40. ## 4.3.0 - Drop strict value validation for region option #36 From 81b6cbd692ebf32414413e947cbcf7653e33a9de Mon Sep 17 00:00:00 2001 From: Chris Abberley <26394346+cabberley@users.noreply.github.com> Date: Wed, 29 Jul 2020 04:23:29 +0000 Subject: [PATCH 14/14] ready for review and merging --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2efa77..9f87749 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - Update aws-SDK to '~> 2.11' - Changed logic to enable AssumeRole to work when not on AWS ec2 and when config provides access key and secret #44 - Incorporated HTTP_Proxy attribute as well from branch #41 - - Added HTTP_Proxy option for Assume Role V2 #40. + - Added HTTP_Proxy option for Assume Role V2 #40 ## 4.3.0 - Drop strict value validation for region option #36