-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(remote/aws): support AWS Secrets Manager as remote component #718
Open
hainenber
wants to merge
12
commits into
grafana:main
Choose a base branch
from
hainenber:support-aws-secret-manager-as-remote-component
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
0613cec
feat(comp/common/cfg/aws): separate package for common typse and func…
hainenber 4043010
feat(comp/remote/s3): use util func and type for AWS client config
hainenber cbdb0e3
feat(comp/test): expose internal test component to check for its health
hainenber 7824d1d
feat(comp/remote/aws/secrets_manager): add `remote.aws.secrets_manager`
hainenber 5ccfc92
fix(comp/remote/aws/secret_manager): correct go:build directive to ru…
hainenber 631a2a2
feat(remote/aws/secrets_manager): implement poller + update doc
hainenber 4a9dc80
fix(remote/aws/secrets_manager): only reset poller's ticker when init…
hainenber 21f1b2e
Apply suggestions from Clayton's code review
hainenber 1e2dcfc
chore: clean up `go.mod`
hainenber 20a34d0
chore: use renamed `internal/runtime` for component test
hainenber a417e68
Merge branch 'main' into support-aws-secret-manager-as-remote-component
hainenber 48fd080
chore(build): reconcile go.sum
hainenber File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
97 changes: 97 additions & 0 deletions
97
docs/sources/reference/components/remote.aws.secrets_manager.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
--- | ||
canonical: https://grafana.com/docs/alloy/latest/reference/components/remote.aws.secrets_manager/ | ||
description: Learn about remote.aws.secrets_manager | ||
title: remote.aws.secrets_manager | ||
--- | ||
|
||
# remote.aws.secret_manager | ||
|
||
`remote.aws.secrets_manager` securely exposes the secrets located in [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) to other components. | ||
By default, the secret is fetched once only at startup. If configured, the secret is polled for changes so that the most recent value is always available. | ||
|
||
{{< admonition type="note" >}} | ||
The polling for changes could incur costs due to frequent API calls. | ||
{{< /admonition >}} | ||
|
||
You can specify multiple `remote.aws.secrets_manager` components by giving them different labels. | ||
By default, [AWS environment variables][] are used to authenticate against AWS. | ||
For custom authentication, you can use the `key` and `secret` arguments inside `client` blocks. | ||
|
||
[AWS environment variables]: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html | ||
|
||
## Usage | ||
|
||
```alloy | ||
remote.aws.secrets_manager "LABEL" { | ||
id = AWS_SECRETS_MANAGER_SECRET_ID | ||
} | ||
``` | ||
|
||
## Arguments | ||
|
||
The following arguments are supported: | ||
|
||
Name | Type | Description | Default | Required | ||
-----------------|------------|--------------------------------------------------------------------------|---------|--------- | ||
`id` | `string` | Secret ID. | | yes | ||
`poll_frequency` | `duration` | How often to poll the API for changes. | | no | ||
|
||
## Blocks | ||
|
||
Hierarchy | Name | Description | Required | ||
----------|------------|----------------------------------------------------|--------- | ||
client | [client][] | Additional AWS client configuration options. | no | ||
|
||
[client]: #client-block | ||
|
||
### client block | ||
|
||
The `client` block customizes options to connect to the AWS server. | ||
|
||
Name | Type | Description | Default | Required | ||
-----------------|----------|-----------------------------------------------------------------------------------------|---------|--------- | ||
`key` | `string` | Used to override default access key. | | no | ||
`secret` | `secret` | Used to override default secret value. | | no | ||
`disable_ssl` | `bool` | Used to disable SSL, generally used for testing. | | no | ||
`region` | `string` | Used to override default region. | | no | ||
`signing_region` | `string` | Used to override the signing region when using a custom endpoint. | | no | ||
|
||
|
||
## Exported fields | ||
|
||
The following fields are exported and can be referenced by other components: | ||
|
||
Name | Type | Description | ||
----------|----------------------|--------------------------------------------------------- | ||
`data` | `map(secret)` | Data from the secret obtained from AWS Secrets Manager. | ||
|
||
The `data` field contains a mapping from data field names to values. | ||
|
||
## Component health | ||
|
||
Instances of `remote.aws.secrets_manager` report as healthy if the most recent fetch of stored secrets was successful. | ||
|
||
## Debug information | ||
|
||
`remote.aws.secrets_manager` doesn't expose any component-specific debug information. | ||
|
||
## Debug metrics | ||
|
||
`remote.aws.secrets_manager` doesn't expose any component-specific debug metrics. | ||
|
||
## Example | ||
|
||
```alloy | ||
remote.aws.secrets_manager "data" { | ||
id = "foo" | ||
} | ||
|
||
metrics.remote_write "prod" { | ||
remote_write { | ||
url = "https://onprem-mimir:9009/api/v1/push" | ||
basic_auth { | ||
username = remote.vault.remote_write.data.username | ||
password = remote.vault.remote_write.data.password | ||
} | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
package aws | ||
|
||
import ( | ||
"context" | ||
"crypto/tls" | ||
"fmt" | ||
"net/http" | ||
|
||
"github.com/aws/aws-sdk-go-v2/aws" | ||
aws_config "github.com/aws/aws-sdk-go-v2/config" | ||
"github.com/grafana/alloy/syntax/alloytypes" | ||
) | ||
|
||
// Client implements specific AWS configuration options | ||
type Client struct { | ||
AccessKey string `alloy:"key,attr,optional"` | ||
Secret alloytypes.Secret `alloy:"secret,attr,optional"` | ||
Endpoint string `alloy:"endpoint,attr,optional"` | ||
DisableSSL bool `alloy:"disable_ssl,attr,optional"` | ||
Region string `alloy:"region,attr,optional"` | ||
SigningRegion string `alloy:"signing_region,attr,optional"` | ||
} | ||
|
||
func GenerateAWSConfig(o Client) (*aws.Config, error) { | ||
configOptions := make([]func(*aws_config.LoadOptions) error, 0) | ||
// Override the endpoint. | ||
if o.Endpoint != "" { | ||
endFunc := aws.EndpointResolverWithOptionsFunc(func(service, region string, _ ...interface{}) (aws.Endpoint, error) { | ||
// The S3 compatible system used for testing with does not require signing region, so it's fine to be blank | ||
// but when using a proxy to real S3 it needs to be injected. | ||
return aws.Endpoint{ | ||
PartitionID: "aws", | ||
URL: o.Endpoint, | ||
SigningRegion: o.SigningRegion, | ||
}, nil | ||
}) | ||
endResolver := aws_config.WithEndpointResolverWithOptions(endFunc) | ||
configOptions = append(configOptions, endResolver) | ||
} | ||
|
||
// This incredibly nested option turns off SSL. | ||
if o.DisableSSL { | ||
httpOverride := aws_config.WithHTTPClient( | ||
&http.Client{ | ||
Transport: &http.Transport{ | ||
TLSClientConfig: &tls.Config{ | ||
InsecureSkipVerify: o.DisableSSL, | ||
}, | ||
}, | ||
}, | ||
) | ||
configOptions = append(configOptions, httpOverride) | ||
} | ||
|
||
if o.Region != "" { | ||
configOptions = append(configOptions, aws_config.WithRegion(o.Region)) | ||
} | ||
Comment on lines
+55
to
+57
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This wasn't set before in the old code; does this break anything for remote.s3? |
||
|
||
// Check to see if we need to override the credentials, else it will use the default ones. | ||
// https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html | ||
if o.AccessKey != "" { | ||
if o.Secret == "" { | ||
return nil, fmt.Errorf("if accesskey or secret are specified then the other must also be specified") | ||
} | ||
credFunc := aws.CredentialsProviderFunc(func(ctx context.Context) (aws.Credentials, error) { | ||
return aws.Credentials{ | ||
AccessKeyID: o.AccessKey, | ||
SecretAccessKey: string(o.Secret), | ||
}, nil | ||
}) | ||
credProvider := aws_config.WithCredentialsProvider(credFunc) | ||
configOptions = append(configOptions, credProvider) | ||
} | ||
|
||
cfg, err := aws_config.LoadDefaultConfig(context.TODO(), configOptions...) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// Set region. | ||
if o.Region != "" { | ||
cfg.Region = o.Region | ||
} | ||
|
||
return &cfg, nil | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This wasn't set before in the old code; does this break anything for remote.s3?