Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add possibility of collecting accessKey from root user and not just current user #13

Open
devasmith opened this issue Oct 24, 2022 · 3 comments
Open

Add possibility of collecting accessKey from root user and not just current user #13

devasmith opened this issue Oct 24, 2022 · 3 comments

Comments

@devasmith
Copy link

SUMMARY

Is it possible to add a feature for getting information about s3 access keys that is associated with the root account and possible other accounts?

You can get there in the GUI by impersonating an account -> Users -> root -> Access keys.

We are using federated accounts that has root access to acquire the necessary tokens.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

netapp.storagegrid.na_sg_org_info

ADDITIONAL INFORMATION

At the moment we store access keys within the root user. We would like to gitops the procedure of creating buckets and s3 keys. Example play below.

  - name: Create StorageGRID Tenants
    netapp.storagegrid.na_sg_grid_account:
      api_url: "{{ grid_admin_base_url }}"
      auth_token: "{{ auth.json.data }}"
      root_access_group: "{{ sg_root_access_group }}"
      state: present
      name: "{{ item.name }}"
      protocol: s3
      management: true
      use_own_identity_source: false
      allow_platform_services: true
      quota_size: 0
    no_log: true
    register: account
    loop: "{{ sg_tenants }}"

  - name: Get tenant Authorization token
    ansible.builtin.uri:
      url: "{{ grid_admin_base_url }}/api/v3/authorize"
      method: POST
      body:
        accountId: "{{ item.resp.id }}"
        username: "{{ sg_username.user_input | default(sg_user) }}"
        password: "{{ sg_password.user_input }}"
      body_format: json
      validate_certs: true
    register: auth
    loop: "{{ account.results })"

     ### Possible scenario ###
  - name: Gather StorageGRID Org info s3 access keys
    netapp.storagegrid.na_sg_org_info:
      api_url: "{{ grid_admin_base_url }}"
      auth_token: "{{ item.json.data }}"
      gather_subset:
        - org_users_current_root_user_s3_access_keys_info
    register: sg_s3keys
    loop: "{{ auth.results }}"

  - name: Create a s3 key for our users
    netapp.storagegrid.na_sg_org_user_s3_key:
      access_key: "{{ item[0].resp.accessKey }}"
      api_url: "{{ grid_admin_base_url }}"
      auth_token: "{{ item[1].json.data }}"
      state: present
      unique_user_name: "{{ sg_unique_user_name }}"
    register: sg_s3keys
    with_nested: 
      - "{{ sg_s3keys.results }}"
      - "{{ auth.results }}"
@joshedmonds
Copy link
Contributor

@devasmith can you clarify some details about this request...

When you say "impersonating an account" in the GUI, this still logging into a particular tenancy with specific credentials right?

In the proposed playbook you're looping over the list of tenants and getting a token for each, so this makes sense. But then you want to collect access keys for the root user of each tenancy. These wouldn't exist though if you've only just created the tenancy? Additionally, the API doesn't return s3 key details after they're created so it wouldn't be possible to read the key like this.

The other issue I see is in the last task for creating an s3 key for users - the API doesn't allow explicitly setting an access key ID when creating a key. This is system generated instead.

@devasmith
Copy link
Author

@joshedmonds thanks for getting back to me.

Yes that is correct.

I've solved this with the uri module as shown below.

- name: Gather access keys information from root user
  ansible.builtin.uri:
    url: "{{ grid_admin_base_url }}/api/v3/org/users/00000000-0000-0000-0000-000000000000/s3-access-keys"
    headers:
      Authorization: "Bearer {{ item.0.json.data }}"
      accept: application/json
    method: get
    body_format: json
  check_mode: false
  register: sg_root_access_keys
  loop_control:
    label: "{{ item.1.name }}"
  loop: "{{ auth.results | zip(sg_tenants) | list }}"

- name: Create s3 keys on root user for our tenant if no keys exists
  netapp.storagegrid.na_sg_org_user_s3_key:
    api_url: "{{ grid_admin_base_url }}"
    auth_token: "{{ item.0.json.data }}"
    state: present
    unique_user_name: "{{ sg_unique_user_name }}"
  register: sg_s3keys
  loop: "{{ auth.results | zip(sg_root_access_keys.results, sg_tenants) | list }}"
  loop_control:
    label: "{{ item.2.name }}"
  when: not item.1.json.data | length > 0

The issue that I wanted to get away from was to not generate a new access key if one already exists.

@joshedmonds
Copy link
Contributor

Understood, thanks!

Will create an internal ticket to look at uplifting the na_sg_org_info module to provide this capability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshedmonds @devasmith