From c2928f57084bfb5a54daf42beec91bc517b2b25d Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 13:09:37 -0700 Subject: [PATCH] support role temporary credential in connector tutorial (#3058) (#3084) Signed-off-by: Yaliang Wu (cherry picked from commit 75d454e4323fbd81a0cb22c7f1a5cf548de1ad5b) Co-authored-by: Yaliang Wu --- docs/tutorials/aws/AIConnectorHelper.ipynb | 81 ++++++++++++++++------ 1 file changed, 59 insertions(+), 22 deletions(-) diff --git a/docs/tutorials/aws/AIConnectorHelper.ipynb b/docs/tutorials/aws/AIConnectorHelper.ipynb index ff2a1f2b4a..3df81cf1ff 100644 --- a/docs/tutorials/aws/AIConnectorHelper.ipynb +++ b/docs/tutorials/aws/AIConnectorHelper.ipynb @@ -18,12 +18,13 @@ "# This Python code is compatible with AWS OpenSearch versions 2.9 and higher.\n", "class AIConnectorHelper:\n", " \n", - " def __init__(self, region, opensearch_domain_name, opensearch_domain_username, opensearch_domain_password, aws_user_name):\n", + " def __init__(self, region, opensearch_domain_name, opensearch_domain_username, opensearch_domain_password, aws_user_name, aws_role_name):\n", " self.region = region\n", " self.opensearch_domain_url, self.opensearch_domain_arn = AIConnectorHelper.get_opensearch_domain_info(region, opensearch_domain_name)\n", " self.opensearch_domain_username = opensearch_domain_username\n", " self.opensearch_domain_opensearch_domain_password = opensearch_domain_password\n", " self.aws_user_name = aws_user_name\n", + " self.aws_role_name = aws_role_name\n", " \n", " @staticmethod \n", " def get_opensearch_domain_info(region, domain_name):\n", @@ -46,6 +47,8 @@ " return None, None\n", " \n", " def get_user_arn(self, username):\n", + " if not username:\n", + " return None\n", " # Create a boto3 client for IAM\n", " iam_client = boto3.client('iam')\n", "\n", @@ -172,6 +175,8 @@ " return None\n", "\n", " def get_role_arn(self, role_name):\n", + " if not role_name:\n", + " return None\n", " iam_client = boto3.client('iam')\n", " try:\n", " response = iam_client.get_role(RoleName=role_name)\n", @@ -374,7 +379,7 @@ " \"Statement\": [\n", " {\n", " \"Action\": [\n", - " \"secretsmanager:GetSecretValue\"\n", + " \"secretsmanager:GetSecretValue\",\n", " \"secretsmanager:DescribeSecret\"\n", " ],\n", " \"Effect\": \"Allow\",\n", @@ -395,17 +400,27 @@ " # Step 3: Configure IAM role in OpenSearch\n", " # 3.1 Create IAM role for Signing create connector request\n", " user_arn = self.get_user_arn(self.aws_user_name)\n", + " role_arn = self.get_role_arn(self.aws_role_name)\n", + " statements = []\n", + " if user_arn:\n", + " statements.append({\n", + " \"Effect\": \"Allow\",\n", + " \"Principal\": {\n", + " \"AWS\": user_arn\n", + " },\n", + " \"Action\": \"sts:AssumeRole\"\n", + " })\n", + " if role_arn:\n", + " statements.append({\n", + " \"Effect\": \"Allow\",\n", + " \"Principal\": {\n", + " \"AWS\": role_arn\n", + " },\n", + " \"Action\": \"sts:AssumeRole\"\n", + " })\n", " trust_policy = {\n", " \"Version\": \"2012-10-17\",\n", - " \"Statement\": [\n", - " {\n", - " \"Effect\": \"Allow\",\n", - " \"Principal\": {\n", - " \"AWS\": user_arn\n", - " },\n", - " \"Action\": \"sts:AssumeRole\"\n", - " }\n", - " ]\n", + " \"Statement\": statements\n", " }\n", "\n", " inline_policy = {\n", @@ -486,17 +501,27 @@ " # Step 2: Configure IAM role in OpenSearch\n", " # 2.1 Create IAM role for Signing create connector request\n", " user_arn = self.get_user_arn(self.aws_user_name)\n", + " role_arn = self.get_role_arn(self.aws_role_name)\n", + " statements = []\n", + " if user_arn:\n", + " statements.append({\n", + " \"Effect\": \"Allow\",\n", + " \"Principal\": {\n", + " \"AWS\": user_arn\n", + " },\n", + " \"Action\": \"sts:AssumeRole\"\n", + " })\n", + " if role_arn:\n", + " statements.append({\n", + " \"Effect\": \"Allow\",\n", + " \"Principal\": {\n", + " \"AWS\": role_arn\n", + " },\n", + " \"Action\": \"sts:AssumeRole\"\n", + " })\n", " trust_policy = {\n", " \"Version\": \"2012-10-17\",\n", - " \"Statement\": [\n", - " {\n", - " \"Effect\": \"Allow\",\n", - " \"Principal\": {\n", - " \"AWS\": user_arn\n", - " },\n", - " \"Action\": \"sts:AssumeRole\"\n", - " }\n", - " ]\n", + " \"Statement\": statements\n", " }\n", "\n", " inline_policy = {\n", @@ -571,7 +596,7 @@ "opensearch_domain_password = '...' # set your domain password\n", "\n", "aws_user_name = '...' # set your AWS IAM user name, not IAM user ARN. \n", - " # To avoid permission issue and quick start, you can use user whith AdministratorAccess policy\n", + " # To avoid permission issue and quick start, you can use user with AdministratorAccess policy\n", " # Configure this user's access key and secret key in ~/.aws/credential \n", " # You can configure ~/.aws/credential as:\n", "'''\n", @@ -579,12 +604,24 @@ "AWS_ACCESS_KEY_ID = YOUR_ACCESS_KEY_ID\n", "AWS_SECRET_ACCESS_KEY = YOUR_SECRET_ACCESS_KEY\n", "'''\n", + "aws_role_name = '...' # set your AWS IAM role name, not IAM role ARN.\n", + " # To avoid permission issue and quick start, you can use role with AdministratorAccess policy\n", + " # You can configure role temporary credential in ~/.aws/credential as:\n", + "'''\n", + "[default]\n", + "AWS_ACCESS_KEY_ID = YOUR_ACCESS_KEY_ID\n", + "AWS_SECRET_ACCESS_KEY = YOUR_SECRET_ACCESS_KEY\n", + "AWS_SESSION_TOKEN = YOUR_AWS_SESSION_TOKEN\n", + "'''\n", + "# You must set either aws_user_name or aws_role_name. \n", + "# You can set the one which you don't need as None. For example aws_role_name=None\n", "\n", "helper = AIConnectorHelper(region, \n", " opensearch_domain_name, \n", " opensearch_domain_username, \n", " opensearch_domain_password, \n", - " aws_user_name)" + " aws_user_name,\n", + " aws_role_name)" ] }, {