Skip to content

Export AWS Access Credentials If Needed #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jul 11, 2023
Merged

Export AWS Access Credentials If Needed #194

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6db8330
hacky fix
Jul 10, 2023
f816599
try exporting os env vars
Jul 10, 2023
a90a483
export os env vars
Jul 10, 2023
c4cebb8
lint
anayeaye Jul 10, 2023
42d3dd8
comment
anayeaye Jul 10, 2023
f2cae04
move to APISettings check
Jul 11, 2023
41aa5a6
black changes
Jul 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .example.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ VEDA_DOMAIN_ALT_HOSTED_ZONE_ID=[OPTIONAL SECOND HOSTED ZONE]
VEDA_DOMAIN_ALT_HOSTED_ZONE_NAME=[OPTIONAL SECOND DOMAIN]

VEDA_RASTER_ENABLE_MOSAIC_SEARCH=TRUE
VEDA_RASTER_DATA_ACCESS_ROLE_ARN=[OPTIONAL ARN OF IAM ROLE TO BE ASSUMED BY RASTER API]
VEDA_RASTER_DATA_ACCESS_ROLE_ARN=[OPTIONAL ARN OF IAM ROLE TO BE ASSUMED BY RASTER API]
VEDA_RASTER_EXPORT_ASSUME_ROLE_CREDS_AS_ENVS=False

VEDA_DB_PUBLICLY_ACCESSIBLE=TRUE
2 changes: 2 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ services:
- AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
# API Config
- VEDA_RASTER_ENABLE_MOSAIC_SEARCH=TRUE
- VEDA_RASTER_EXPORT_ASSUME_ROLE_CREDS_AS_ENVS=TRUE


depends_on:
- database
Expand Down
5 changes: 5 additions & 0 deletions raster_api/infrastructure/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ class vedaRasterSettings(BaseSettings):
description="Resource name of role permitting access to specified external S3 buckets",
)

export_assume_role_creds_as_envs: Optional[bool] = Field(
False,
description="enables 'get_gdal_config' flow to export AWS credentials as os env vars",
)

aws_request_payer: Optional[str] = Field(
None,
description="Set optional global parameter to 'requester' if the requester agrees to pay S3 transfer costs",
Expand Down
2 changes: 1 addition & 1 deletion raster_api/runtime/src/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@
logging.getLogger("rio-tiler").setLevel(logging.ERROR)

settings = ApiSettings()

templates = Jinja2Templates(directory=str(resources_files(__package__) / "templates")) # type: ignore

if settings.debug:
Expand All @@ -54,6 +53,7 @@
add_exception_handlers(app, DEFAULT_STATUS_CODES)
add_exception_handlers(app, MOSAIC_STATUS_CODES)


# Custom PgSTAC mosaic tiler
mosaic = MosaicTilerFactory(
router_prefix="/mosaic",
Expand Down
22 changes: 22 additions & 0 deletions raster_api/runtime/src/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import base64
import json
import os
from typing import Optional

import boto3
Expand Down Expand Up @@ -83,6 +84,11 @@ def load_postgres_settings(self) -> "PostgresSettings":
description="Resource name of role permitting access to specified external S3 buckets",
)

export_assume_role_creds_as_envs: Optional[bool] = Field(
False,
description="enables 'get_gdal_config' flow to export AWS credentials as os env vars",
)

def get_gdal_config(self):
"""return default aws session config or assume role data_access_role_arn credentials session"""
# STS assume data access role for session credentials
Expand All @@ -91,6 +97,22 @@ def get_gdal_config(self):
data_access_credentials = get_role_credentials(
self.data_access_role_arn
)

# hack for issue https://github.com/NASA-IMPACT/veda-backend/issues/192
# which forces any nested `rasterio.Env` context managers (which run in separate threads)
# to pick up the assume-role `AWS_*` os env vars and re-init from there via:
# https://github.com/rasterio/rasterio/blob/main/rasterio/env.py#L204-L205
if self.export_assume_role_creds_as_envs:
os.environ["AWS_ACCESS_KEY_ID"] = data_access_credentials[
"AccessKeyId"
]
os.environ["AWS_SECRET_ACCESS_KEY"] = data_access_credentials[
"SecretAccessKey"
]
os.environ["AWS_SESSION_TOKEN"] = data_access_credentials[
"SessionToken"
]

return {
"session": AWSSession(
aws_access_key_id=data_access_credentials["AccessKeyId"],
Expand Down