Module: Miasma::Contrib::AwsApiCore::ApiCommon
- Included in:
- Miasma::Contrib::Aws::Api::Iam, Miasma::Contrib::Aws::Api::Sts, Models::AutoScale::Aws, Models::Compute::Aws, Models::LoadBalancer::Aws, Models::Orchestration::Aws, Models::Storage::Aws
- Defined in:
- lib/miasma/contrib/aws.rb
Overview
Common API setup
Class Method Summary collapse
Instance Method Summary collapse
-
#after_setup(creds) ⇒ TrueClass
Persist any underlying stored credential data that is not a defined attribute (things like STS information).
-
#api_for(type) ⇒ Api
Build new API for specified type using current provider / creds.
-
#connect ⇒ Object
Setup for API connections.
-
#connection ⇒ HTTP
Connection for requests (forces headers).
-
#custom_setup(creds) ⇒ TrueClass
Provide custom setup functionality to support alternative credential loading.
-
#endpoint ⇒ String
Endpoint for request.
-
#extract_creds(data) ⇒ Hash
Return hash with needed information to assume role.
-
#get_credential(key, data_hash = nil) ⇒ Object
Return correct credential value based on STS context.
-
#get_region ⇒ String
Return region from meta-data service.
-
#load_aws_file(file_path) ⇒ Smash
Load configuration from the AWS configuration file.
-
#load_ecs_credentials!(creds) ⇒ TrueClass
Attempt to load credentials from instance metadata.
-
#load_instance_credentials!(creds) ⇒ TrueClass
Attempt to load credentials from instance metadata.
-
#make_request(connection, http_method, request_args) ⇒ HTTP::Response
Override to inject signature.
-
#perform_request_retry(exception) ⇒ TrueClass, FalseClass
Determine if a retry is allowed based on exception.
-
#retryable_allowed?(*_) ⇒ TrueClass
Always allow retry.
- #signer ⇒ Contrib::AwsApiCore::SignatureV4
-
#sts_assume_role!(creds) ⇒ TrueClass
Assume requested role and replace key id and secret.
- #sts_assume_role_update_required?(args = {}) ⇒ TrueClass, FalseClass
-
#sts_attribute_update_required?(key, expiry_key, args = {}) ⇒ TrueClass, FalseClass
Check if STS attribute requires update.
- #sts_mfa_session!(creds) ⇒ Object
- #sts_mfa_session_update_required?(args = {}) ⇒ TrueClass, FalseClass
-
#update_request(con, opts) ⇒ TrueClass
Simple callback to allow request option adjustments prior to signature calculation.
-
#uri_escape(string) ⇒ String
Custom escape for aws compat.
Class Method Details
.included(klass) ⇒ Object
344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 |
# File 'lib/miasma/contrib/aws.rb', line 344 def self.included(klass) klass.class_eval do attribute :aws_profile_name, [FalseClass, String], :default => ENV.fetch("AWS_PROFILE", "default") attribute :aws_sts_token, String attribute :aws_sts_role_arn, String attribute :aws_sts_external_id, String attribute :aws_sts_role_session_name, String attribute :aws_sts_region, String attribute :aws_sts_host, String attribute :aws_sts_session_token, String attribute :aws_sts_session_token_code, [String, Proc, Method] attribute :aws_sts_mfa_serial_number, [String] attribute :aws_credentials_file, String, :required => true, :default => ENV.fetch("AWS_SHARED_CREDENTIALS_FILE", File.join(Dir.home, ".aws/credentials")) attribute :aws_config_file, String, :required => true, :default => ENV.fetch("AWS_CONFIG_FILE", File.join(Dir.home, ".aws/config")) attribute :aws_access_key_id, String, :required => true, :default => ENV["AWS_ACCESS_KEY_ID"] attribute :aws_secret_access_key, String, :required => true, :default => ENV["AWS_SECRET_ACCESS_KEY"] attribute :aws_iam_instance_profile, [TrueClass, FalseClass], :default => false attribute :aws_ecs_task_profile, [TrueClass, FalseClass], :default => false attribute :aws_region, String, :required => true, :default => ENV["AWS_DEFAULT_REGION"] attribute :aws_host, String attribute :aws_bucket_region, String attribute :api_endpoint, String, :required => true, :default => "amazonaws.com" attribute :euca_compat, Symbol, :allowed_values => [:path, :dns], :coerce => lambda { |v| v.is_a?(String) ? v.to_sym : v } attribute :euca_dns_map, Smash, :coerce => lambda { |v| v.to_smash }, :default => Smash.new attribute :ssl_enabled, [TrueClass, FalseClass], :default => true end # AWS config file key remapping klass.const_set(:CONFIG_FILE_REMAP, Smash.new( "region" => "aws_region", "role_arn" => "aws_sts_role_arn", "aws_security_token" => "aws_sts_token", "aws_session_token" => "aws_sts_session_token", ).to_smash.freeze) klass.const_set(:INSTANCE_PROFILE_HOST, "http://169.254.169.254".freeze) klass.const_set( :INSTANCE_PROFILE_PATH, "latest/meta-data/iam/security-credentials".freeze ) klass.const_set( :INSTANCE_PROFILE_AZ_PATH, "latest/meta-data/placement/availability-zone".freeze ) klass.const_set(:ECS_TASK_PROFILE_HOST, "http://169.254.170.2".freeze) klass.const_set( :ECS_TASK_PROFILE_PATH, ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"] ) # Reload sts tokens if expiry is within the next 10 minutes klass.const_set(:STS_TOKEN_EXPIRY_BUFFER, 600) end |
Instance Method Details
#after_setup(creds) ⇒ TrueClass
Persist any underlying stored credential data that is not a defined attribute (things like STS information)
477 478 479 480 481 482 483 484 485 |
# File 'lib/miasma/contrib/aws.rb', line 477 def after_setup(creds) skip = self.class.attributes.keys.map(&:to_s) creds.each do |k, v| k = k.to_s if k.start_with?("aws_") && !skip.include?(k) data[k] = v end end end |
#api_for(type) ⇒ Api
Build new API for specified type using current provider / creds
406 407 408 409 410 411 412 413 414 415 416 417 418 |
# File 'lib/miasma/contrib/aws.rb', line 406 def api_for(type) memoize(type) do creds = attributes.dup creds.delete(:aws_host) Miasma.api( Smash.new( :type => type, :provider => provider, :credentials => creds, ) ) end end |
#connect ⇒ Object
Setup for API connections
683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 |
# File 'lib/miasma/contrib/aws.rb', line 683 def connect unless aws_host if euca_compat service_name = (self.class.const_defined?(:EUCA_API_SERVICE) ? self.class::EUCA_API_SERVICE : self.class::API_SERVICE) else service_name = self.class::API_SERVICE.downcase end if euca_compat == :path self.aws_host = [ api_endpoint, "services", service_name, ].join("/") elsif euca_compat == :dns && euca_dns_map[service_name] self.aws_host = [ euca_dns_map[service_name], api_endpoint, ].join(".") else self.aws_host = [ service_name, aws_region, api_endpoint, ].join(".") end end end |
#connection ⇒ HTTP
Returns connection for requests (forces headers).
744 745 746 747 748 749 |
# File 'lib/miasma/contrib/aws.rb', line 744 def connection super.headers( "Host" => aws_host, "X-Amz-Date" => Contrib::AwsApiCore.time_iso8601, ) end |
#custom_setup(creds) ⇒ TrueClass
Provide custom setup functionality to support alternative credential loading.
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 |
# File 'lib/miasma/contrib/aws.rb', line 425 def custom_setup(creds) cred_file = load_aws_file(creds.fetch( :aws_credentials_file, aws_credentials_file )) config_file = load_aws_file(creds.fetch( :aws_config_file, aws_config_file )) # Load any configuration available from the config file profile = creds.fetch(:aws_profile_name, aws_profile_name) profile_list = [profile].compact new_config_creds = Smash.new while profile new_config_creds = config_file.fetch(profile, Smash.new).merge( new_config_creds ) profile = new_config_creds.delete(:source_profile) profile_list << profile end new_config_creds = config_file.fetch(:default, Smash.new).merge( new_config_creds ) # Load any configuration available from the creds file new_creds = Smash.new profile_list.each do |profile| new_creds = cred_file.fetch(profile, Smash.new).merge( new_creds ) profile = new_creds.delete(:source_profile) end new_creds = cred_file.fetch(:default, Smash.new).merge( new_creds ) new_creds = new_creds.merge(new_config_creds) # Provided credentials override any config file or creds # file configuration so set them into new creds if available new_creds.merge!(creds) # Replace creds hash with updated hash so it is loaded with # updated values creds.replace(new_creds) if creds[:aws_iam_instance_profile] self.class.const_get(:ECS_TASK_PROFILE_PATH).nil? ? load_instance_credentials!(creds) : load_ecs_credentials!(creds) end true end |
#endpoint ⇒ String
Returns endpoint for request.
752 753 754 |
# File 'lib/miasma/contrib/aws.rb', line 752 def endpoint "http#{"s" if ssl_enabled}://#{aws_host}" end |
#extract_creds(data) ⇒ Hash
Return hash with needed information to assume role
553 554 555 556 557 558 559 560 561 |
# File 'lib/miasma/contrib/aws.rb', line 553 def extract_creds(data) c = Smash.new c[:aws_access_key_id] = data["AccessKeyId"] c[:aws_secret_access_key] = data["SecretAccessKey"] c[:aws_sts_token] = data["Token"] c[:aws_sts_token_expires] = Time.xmlschema(data["Expiration"]) c[:aws_sts_role_arn] = data["RoleArn"] # used in ECS Role but not instance role c end |
#get_credential(key, data_hash = nil) ⇒ Object
Return correct credential value based on STS context
727 728 729 730 731 732 733 734 735 736 |
# File 'lib/miasma/contrib/aws.rb', line 727 def get_credential(key, data_hash = nil) data_hash = attributes if data_hash.nil? if data_hash[:aws_sts_token] data_hash.fetch("aws_sts_#{key}", data_hash["aws_#{key}"]) elsif data_hash[:aws_sts_session_token] data_hash.fetch("aws_sts_session_#{key}", data_hash["aws_#{key}"]) else data_hash["aws_#{key}"] end end |
#get_region ⇒ String
Return region from meta-data service
566 567 568 569 570 571 572 573 574 575 |
# File 'lib/miasma/contrib/aws.rb', line 566 def get_region az = HTTP.get( [ self.class.const_get(:INSTANCE_PROFILE_HOST), self.class.const_get(:INSTANCE_PROFILE_AZ_PATH), ].join("/") ).body.to_s.strip az.sub!(/[a-zA-Z]+$/, "") az end |
#load_aws_file(file_path) ⇒ Smash
Load configuration from the AWS configuration file
631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 |
# File 'lib/miasma/contrib/aws.rb', line 631 def load_aws_file(file_path) if File.exist?(file_path) Smash.new.tap do |creds| key = :default File.readlines(file_path).each_with_index do |line, idx| line.strip! next if line.empty? || line.start_with?("#") if line.start_with?("[") unless line.end_with?("]") raise ArgumentError.new( "Failed to parse aws file! (#{file_path} line #{idx + 1})" ) end key = line.tr("[]", "").strip.sub(/^profile /, "") creds[key] = Smash.new else unless key raise ArgumentError.new( "Failed to parse aws file! (#{file_path} line #{idx + 1}) " \ "- No section defined!" ) end line_args = line.split("=", 2).map(&:strip) line_args.first.replace( self.class.const_get(:CONFIG_FILE_REMAP).fetch( line_args.first, line_args.first ) ) if line_args.last.start_with?('"') unless line_args.last.end_with?('"') raise ArgumentError.new( "Failed to parse aws file! (#{file_path} line #{idx + 1})" ) end line_args.last.replace(line_args.last[1..-2]) # NOTE: strip quoted values end begin creds[key].merge!(Smash[*line_args]) rescue => e raise ArgumentError.new( "Failed to parse aws file! (#{file_path} line #{idx + 1})" ) end end end end else Smash.new end end |
#load_ecs_credentials!(creds) ⇒ TrueClass
Attempt to load credentials from instance metadata
524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 |
# File 'lib/miasma/contrib/aws.rb', line 524 def load_ecs_credentials!(creds) # As per docs ECS_TASK_PROFILE_PATH is defined as # /credential_provider_version/credentials?id=task_UUID # where AWS fills in the version and UUID. # @see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html data = HTTP.get( [ self.class.const_get(:ECS_TASK_PROFILE_HOST), self.class.const_get(:ECS_TASK_PROFILE_PATH), ].join ).body unless data.is_a?(Hash) begin data = MultiJson.load(data.to_s) rescue MultiJson::ParseError data = {} end end creds.merge!(extract_creds(data)) unless creds[:aws_region] creds[:aws_region] = get_region end true end |
#load_instance_credentials!(creds) ⇒ TrueClass
Attempt to load credentials from instance metadata
491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 |
# File 'lib/miasma/contrib/aws.rb', line 491 def load_instance_credentials!(creds) role = HTTP.get( [ self.class.const_get(:INSTANCE_PROFILE_HOST), self.class.const_get(:INSTANCE_PROFILE_PATH), "", ].join("/") ).body.to_s.strip data = HTTP.get( [ self.class.const_get(:INSTANCE_PROFILE_HOST), self.class.const_get(:INSTANCE_PROFILE_PATH), role, ].join("/") ).body unless data.is_a?(Hash) begin data = MultiJson.load(data.to_s) rescue MultiJson::ParseError data = {} end end creds.merge!(extract_creds(data)) unless creds[:aws_region] creds[:aws_region] = get_region end true end |
#make_request(connection, http_method, request_args) ⇒ HTTP::Response
Override to inject signature
762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 |
# File 'lib/miasma/contrib/aws.rb', line 762 def make_request(connection, http_method, request_args) dest, = request_args path = URI.parse(dest).path = ? .to_smash : Smash.new [:headers] = Smash[connection..headers.to_a]. merge(.fetch(:headers, Smash.new)) if self.class::API_VERSION if [:form] .set(:form, "Version", self.class::API_VERSION) else [:params] = .fetch( :params, Smash.new ).to_smash.deep_merge( Smash.new( "Version" => self.class::API_VERSION, ) ) end end if aws_sts_session_token || aws_sts_session_token_code if sts_mfa_session_update_required? sts_mfa_session!(data) end .set(:headers, "X-Amz-Security-Token", aws_sts_session_token) end if aws_sts_token || aws_sts_role_arn if sts_assume_role_update_required? sts_assume_role!(data) end .set(:headers, "X-Amz-Security-Token", aws_sts_token) end signature = signer.generate(http_method, path, ) update_request(connection, ) = Hash[.map { |k, v| [k.to_sym, v] }] connection.auth(signature).send(http_method, dest, ) end |
#perform_request_retry(exception) ⇒ TrueClass, FalseClass
Determine if a retry is allowed based on exception
841 842 843 844 845 846 847 848 849 850 851 852 853 |
# File 'lib/miasma/contrib/aws.rb', line 841 def perform_request_retry(exception) if exception.is_a?(Miasma::Error::ApiError) if [400, 500, 503].include?(exception.response.code) if exception.response.code == 400 exception.response.body.to_s.downcase.include?("throttl") else true end else false end end end |
#retryable_allowed?(*_) ⇒ TrueClass
Always allow retry
858 859 860 |
# File 'lib/miasma/contrib/aws.rb', line 858 def retryable_allowed?(*_) true end |
#signer ⇒ Contrib::AwsApiCore::SignatureV4
714 715 716 717 718 719 720 721 |
# File 'lib/miasma/contrib/aws.rb', line 714 def signer Contrib::AwsApiCore::SignatureV4.new( get_credential(:access_key_id), get_credential(:secret_access_key), aws_region, self.class::API_SERVICE ) end |
#sts_assume_role!(creds) ⇒ TrueClass
Assume requested role and replace key id and secret
604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 |
# File 'lib/miasma/contrib/aws.rb', line 604 def sts_assume_role!(creds) if sts_assume_role_update_required?(creds) sts = Miasma::Contrib::Aws::Api::Sts.new( :aws_access_key_id => get_credential(:access_key_id, creds), :aws_secret_access_key => get_credential(:secret_access_key, creds), :aws_region => creds.fetch(:aws_sts_region, "us-east-1"), :aws_credentials_file => creds.fetch( :aws_credentials_file, aws_credentials_file ), :aws_config_file => creds.fetch(:aws_config_file, aws_config_file), :aws_host => creds[:aws_sts_host], :aws_sts_token => creds[:aws_sts_session_token], ) role_info = sts.assume_role( creds[:aws_sts_role_arn], :session_name => creds[:aws_sts_role_session_name], :external_id => creds[:aws_sts_external_id], ) creds.merge!(role_info) end true end |
#sts_assume_role_update_required?(args = {}) ⇒ TrueClass, FalseClass
update check only applied if assuming role
801 802 803 804 |
# File 'lib/miasma/contrib/aws.rb', line 801 def sts_assume_role_update_required?(args = {}) sts_attribute_update_required?(:aws_sts_role_arn, :aws_sts_token_expires, args) end |
#sts_attribute_update_required?(key, expiry_key, args = {}) ⇒ TrueClass, FalseClass
Check if STS attribute requires update
819 820 821 822 823 824 825 826 |
# File 'lib/miasma/contrib/aws.rb', line 819 def sts_attribute_update_required?(key, expiry_key, args = {}) if args.fetch(key, attributes[key]) expiry = args.fetch(expiry_key, attributes[expiry_key]) expiry.nil? || expiry - self.class.const_get(:STS_TOKEN_EXPIRY_BUFFER) <= Time.now else false end end |
#sts_mfa_session!(creds) ⇒ Object
577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 |
# File 'lib/miasma/contrib/aws.rb', line 577 def sts_mfa_session!(creds) if sts_mfa_session_update_required?(creds) sts = Miasma::Contrib::Aws::Api::Sts.new( :aws_access_key_id => creds[:aws_access_key_id], :aws_secret_access_key => creds[:aws_secret_access_key], :aws_region => creds.fetch(:aws_sts_region, "us-east-1"), :aws_credentials_file => creds.fetch( :aws_credentials_file, aws_credentials_file ), :aws_config_file => creds.fetch(:aws_config_file, aws_config_file), :aws_profile_name => creds[:aws_profile_name], :aws_host => creds[:aws_sts_host], ) creds.merge!( sts.mfa_session( creds[:aws_sts_session_token_code], :mfa_serial => creds[:aws_sts_mfa_serial_number], ) ) end true end |
#sts_mfa_session_update_required?(args = {}) ⇒ TrueClass, FalseClass
update check only applied if assuming role
808 809 810 811 |
# File 'lib/miasma/contrib/aws.rb', line 808 def sts_mfa_session_update_required?(args = {}) sts_attribute_update_required?(:aws_sts_session_token_code, :aws_sts_session_token_expires, args) end |
#update_request(con, opts) ⇒ TrueClass
Simple callback to allow request option adjustments prior to signature calculation
833 834 835 |
# File 'lib/miasma/contrib/aws.rb', line 833 def update_request(con, opts) true end |
#uri_escape(string) ⇒ String
Returns custom escape for aws compat.
739 740 741 |
# File 'lib/miasma/contrib/aws.rb', line 739 def uri_escape(string) signer.safe_escape(string) end |