Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: aws session creation is failing for s3 manager when roles are used #2799

Merged
merged 1 commit into from
Dec 13, 2022
Merged

fix: aws session creation is failing for s3 manager when roles are used #2799

merged 1 commit into from
Dec 13, 2022

Conversation

koladilip
Copy link
Contributor

@koladilip koladilip commented Dec 12, 2022
edited
Loading

Description

Unify AWS session config creation process so that it is consistent across all AWS destinations. Earlier S3 has slightly different process to create SessionConfing so when updated the session config creation in aws utils to support RoleBasedAuth flag, it got missed for S3 manager as it was using different implementation so this unification should prevent such errors in the future.

Notion Ticket

[Warehouse AWS Role support] https://www.notion.so/rudderstacks/Warehouse-destination-config-for-Role-base-Authentication-control-plane-db9198dce2024723959c224e91a11ef4

Security

  • The code changed/added as part of this pull request won't create any security issues with how the software is being used.

@koladilip koladilip changed the base branch from master to release/1.4.x December 12, 2022 11:11
@koladilip koladilip force-pushed the fix.s3_manager_populate_role_based_auth_flag branch from cd33f92 to d98c944 Compare December 12, 2022 11:23
@koladilip koladilip changed the title fix: populate role base auth flag in s3 manager fix: populate role based auth flag in s3 manager Dec 12, 2022
sachin-chand-tc
sachin-chand-tc approved these changes Dec 12, 2022
View reviewed changes
Copy link

@sachin-chand-tc sachin-chand-tc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@koladilip koladilip force-pushed the fix.s3_manager_populate_role_based_auth_flag branch from d98c944 to 9d5961c Compare December 12, 2022 11:33
@codecov
Copy link

codecov bot commented Dec 12, 2022
edited
Loading

Codecov Report

Base: 49.62% // Head: 46.92% // Decreases project coverage by -2.70% ⚠️

Coverage data is based on head (2bda02d) compared to base (e30fe25).
Patch coverage: 79.48% of modified lines in pull request are covered.

Additional details and impacted files 
@@                Coverage Diff                @@
##           release/1.4.x    #2799      +/-   ##
=================================================
- Coverage          49.62%   46.92%   -2.71%     
=================================================
  Files                311      301      -10     
  Lines              52797    49161    -3636     
=================================================
- Hits               26199    23067    -3132     
+ Misses             25062    24628     -434     
+ Partials            1536     1466      -70
Impacted Files Coverage Δ
warehouse/utils/utils.go 70.05% <0.00%> (-3.38%) ⬇️
services/filemanager/filemanager.go 79.64% <50.00%> (+1.01%) ⬆️
services/filemanager/s3manager.go 78.21% <92.30%> (-0.56%) ⬇️
utils/awsutils/session.go 96.96% <100.00%> (+0.30%) ⬆️
enterprise/config-env/noop.go 0.00% <0.00%> (-100.00%) ⬇️
testhelper/destination/redis.go 0.00% <0.00%> (-32.73%) ⬇️
router/throttler/throttler.go 35.16% <0.00%> (-27.03%) ⬇️
config/load.go 72.43% <0.00%> (-25.51%) ⬇️
regulation-worker/internal/client/client.go 66.42% <0.00%> (-17.85%) ⬇️
testhelper/health/checker.go 71.42% <0.00%> (-11.91%) ⬇️
... and 59 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@atzoum
Copy link
Contributor

atzoum commented Dec 12, 2022
edited by koladilip
Loading

@koladilip what are we fixing and what issue did this cause? ref

atzoum
atzoum reviewed Dec 12, 2022
View reviewed changes
services/filemanager/s3manager_test.go
Comment on lines -41 to -69
func TestGetSessionConfigWithAccessKeys(t *testing.T) {
s3Manager := S3Manager{
Config: &S3Config{
Bucket: "someBucket",
AccessKeyID: "someAccessKeyId",
AccessKey: "someSecretAccessKey",
Region: aws.String("someRegion"),
},
}
awsSessionConfig := s3Manager.getSessionConfig()
assert.NotNil(t, awsSessionConfig)
assert.Equal(t, s3Manager.Config.AccessKey, awsSessionConfig.AccessKey)
assert.Equal(t, s3Manager.Config.AccessKeyID, awsSessionConfig.AccessKeyID)
}

func TestGetSessionConfigWithIAMRole(t *testing.T) {
s3Manager := S3Manager{
Config: &S3Config{
Bucket: "someBucket",
IAMRoleARN: "someIAMRole",
ExternalID: "someExternalID",
Region: aws.String("someRegion"),
},
}
awsSessionConfig := s3Manager.getSessionConfig()
assert.NotNil(t, awsSessionConfig)
assert.Equal(t, s3Manager.Config.IAMRoleARN, awsSessionConfig.IAMRoleARN)
assert.Equal(t, s3Manager.Config.ExternalID, awsSessionConfig.ExternalID)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't these meaningful anymore? Are we introducing any other tests to verify that:

  1. what we are fixing is actually fixed
  2. no regression has been introduced in the meantime by these changes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes s3Manager.getSessionConfig() is removed so I have added few more tests to test these functionalities.

@koladilip koladilip force-pushed the fix.s3_manager_populate_role_based_auth_flag branch from 9d5961c to 56182c0 Compare December 12, 2022 12:14
@koladilip koladilip changed the title fix: populate role based auth flag in s3 manager fix: unify session config creation for all aws destinations Dec 12, 2022
@koladilip koladilip changed the title fix: unify session config creation for all aws destinations fix: use same utils to create session config for all aws destinations Dec 12, 2022
@koladilip
Copy link
Contributor Author

koladilip commented Dec 12, 2022
edited
Loading

what are we fixing and what issue did this cause? ref

@atzoum
Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot to update the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

@atzoum
Copy link
Contributor

atzoum commented Dec 12, 2022

what are we fixing and what issue did this cause? ref

@atzoum Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

What was the issue this bug caused? Can you please include it in the pull request's title?

@koladilip koladilip force-pushed the fix.s3_manager_populate_role_based_auth_flag branch from 56182c0 to 3ff22a0 Compare December 12, 2022 13:02
@koladilip koladilip changed the title fix: use same utils to create session config for all aws destinations fix: add support for role based auth flag to s3 manager Dec 12, 2022
@koladilip
Copy link
Contributor Author

koladilip commented Dec 12, 2022
edited
Loading

what are we fixing and what issue did this cause? ref

@atzoum Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

What was the issue this bug caused? Can you please include it in the pull request's title?

Updated the PR title, let me know if this explains the problem.

@atzoum
Copy link
Contributor

atzoum commented Dec 12, 2022

what are we fixing and what issue did this cause? ref

@atzoum Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

What was the issue this bug caused? Can you please include it in the pull request's title?

Updated the PR title, let me know if this explains the problem.

From the title I understand that this is not really a bug, but a new feature. Did we ever support role based auth flag in s3 manager?

@koladilip
Copy link
Contributor Author

what are we fixing and what issue did this cause? ref

@atzoum Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

What was the issue this bug caused? Can you please include it in the pull request's title?

Updated the PR title, let me know if this explains the problem.

From the title I understand that this is not really a bug, but a new feature. Did we ever support role based auth flag in s3 manager?

Actually this is bug as main aws session creator assumes that session config contain rolebased auth flag set properly but s3 manager didn't implement that functionality before so aws session creation is failing for s3 manage when roles are used.

@atzoum
Copy link
Contributor

atzoum commented Dec 12, 2022
edited by koladilip
Loading

what are we fixing and what issue did this cause? ref

@atzoum Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

What was the issue this bug caused? Can you please include it in the pull request's title?

Updated the PR title, let me know if this explains the problem.

From the title I understand that this is not really a bug, but a new feature. Did we ever support role based auth flag in s3 manager?

Actually this is bug as main aws session creator assumes that session config contain rolebased auth flag set properly but s3 manager didn't implement that functionality before so aws session creation is failing for s3 manage when roles are used.

This should be the PR title then?
fix: aws session creation is failing for s3 manager when roles are used

@koladilip koladilip changed the title fix: add support for role based auth flag to s3 manager fix: aws session creation is failing for s3 manager when roles are used Dec 12, 2022
@koladilip
Copy link
Contributor Author

what are we fixing and what issue did this cause? ref

@atzoum Since S3 manager was using different implementation, when we refactored Session config creation in awsutils, we forgot the S3 manager and it introduced the bug so unifying all of them to use same implementation should fix the bug.

What was the issue this bug caused? Can you please include it in the pull request's title?

Updated the PR title, let me know if this explains the problem.

From the title I understand that this is not really a bug, but a new feature. Did we ever support role based auth flag in s3 manager?

Actually this is bug as main aws session creator assumes that session config contain rolebased auth flag set properly but s3 manager didn't implement that functionality before so aws session creation is failing for s3 manage when roles are used.

This should be the PR title then? fix: aws session creation is failing for s3 manager when roles are used

Updated.

@sundernagesh18
Copy link

Tested the latest AWS FTR changes on the S3 datalake and the changes are working fine.

@koladilip
fix: aws session creation is failing for s3 manager when roles are used
2bda02d 
Redshift to use awsSession.Config.Credentials.Get() when roles
are used to get temporary credentials instead of sts.GetSessionToken.

Unify AWS session config creation process so that it is consistent
across all AWS destinations. Earlier S3 has slightly different process
to create SessionConfing so when updated the session config creation in
aws utils to support RoleBasedAuth flag, it got missed for S3 manager
as it was using different implementation so this unification should
prevent such errors in the future.
@koladilip koladilip force-pushed the fix.s3_manager_populate_role_based_auth_flag branch from 3ff22a0 to 2bda02d Compare December 13, 2022 13:32
@achettyiitr achettyiitr merged commit 1534d64 into release/1.4.x Dec 13, 2022
@achettyiitr achettyiitr deleted the fix.s3_manager_populate_role_based_auth_flag branch December 13, 2022 16:17
@rudder-server-bot rudder-server-bot mentioned this pull request Dec 13, 2022
Merged
@koladilip koladilip restored the fix.s3_manager_populate_role_based_auth_flag branch December 13, 2022 16:22
@koladilip koladilip mentioned this pull request Dec 13, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atzoum atzoum atzoum left review comments

@sachin-chand-tc sachin-chand-tc sachin-chand-tc approved these changes

@achettyiitr achettyiitr achettyiitr approved these changes

@saikumarrs saikumarrs saikumarrs approved these changes

@krishna2020 krishna2020 Awaiting requested review from krishna2020

@chandumlg chandumlg Awaiting requested review from chandumlg

@BonapartePC BonapartePC Awaiting requested review from BonapartePC

Assignees
No one assigned
Labels
warehouse-team with tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@koladilip @atzoum @sundernagesh18 @sachin-chand-tc @achettyiitr @saikumarrs