Skip to content

Commit 7d41c19

Browse files
binmahonekyligence-git
authored andcommitted
support assume role (bug fix included) (ClickHouse#449)
(cherry picked from commit e7061da)
1 parent 953e3c9 commit 7d41c19

File tree

3 files changed

+39
-2
lines changed

3 files changed

+39
-2
lines changed

contrib/aws-cmake/CMakeLists.txt

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,9 @@ endif()
5353
# Directories.
5454
SET(AWS_SDK_DIR "${ClickHouse_SOURCE_DIR}/contrib/aws")
5555
SET(AWS_SDK_CORE_DIR "${AWS_SDK_DIR}/src/aws-cpp-sdk-core")
56+
SET(AWS_SDK_IM_DIR "${AWS_SDK_DIR}/src/aws-cpp-sdk-identity-management")
57+
SET(AWS_SDK_STS_DIR "${AWS_SDK_DIR}/generated/src/aws-cpp-sdk-sts")
58+
SET(AWS_SDK_COGNITO_IDENTITY_DIR "${AWS_SDK_DIR}/generated/src/aws-cpp-sdk-cognito-identity")
5659
SET(AWS_SDK_S3_DIR "${AWS_SDK_DIR}/generated/src/aws-cpp-sdk-s3")
5760

5861
SET(AWS_AUTH_DIR "${ClickHouse_SOURCE_DIR}/contrib/aws-c-auth")
@@ -103,6 +106,9 @@ file(GLOB AWS_SDK_CORE_SRC
103106
"${AWS_SDK_CORE_DIR}/source/utils/xml/*.cpp"
104107
)
105108

109+
file(GLOB AWS_SDK_IM_SRC
110+
"${AWS_SDK_IM_DIR}/source/auth/*.cpp")
111+
106112
if(OS_LINUX OR OS_DARWIN)
107113
file(GLOB AWS_SDK_CORE_NET_SRC "${AWS_SDK_CORE_DIR}/source/net/linux-shared/*.cpp")
108114
file(GLOB AWS_SDK_CORE_PLATFORM_SRC "${AWS_SDK_CORE_DIR}/source/platform/linux-shared/*.cpp")
@@ -119,13 +125,23 @@ list(APPEND AWS_PUBLIC_COMPILE_DEFS "-DAWS_SDK_VERSION_MAJOR=1")
119125
list(APPEND AWS_PUBLIC_COMPILE_DEFS "-DAWS_SDK_VERSION_MINOR=10")
120126
list(APPEND AWS_PUBLIC_COMPILE_DEFS "-DAWS_SDK_VERSION_PATCH=36")
121127

122-
list(APPEND AWS_SOURCES ${AWS_SDK_CORE_SRC} ${AWS_SDK_CORE_NET_SRC} ${AWS_SDK_CORE_PLATFORM_SRC})
128+
list(APPEND AWS_SOURCES ${AWS_SDK_CORE_SRC} ${AWS_SDK_IM_SRC} ${AWS_SDK_CORE_NET_SRC} ${AWS_SDK_CORE_PLATFORM_SRC})
123129

124130
list(APPEND AWS_PUBLIC_INCLUDES
125131
"${AWS_SDK_CORE_DIR}/include/"
132+
"${AWS_SDK_IM_DIR}/include/"
126133
"${CMAKE_CURRENT_BINARY_DIR}/include"
127134
)
128135

136+
# aws-cpp-sdk-sts
137+
file(GLOB AWS_SDK_STS_SRC
138+
"${AWS_SDK_STS_DIR}/source/*.cpp"
139+
"${AWS_SDK_STS_DIR}/source/model/*.cpp"
140+
)
141+
142+
list(APPEND AWS_SOURCES ${AWS_SDK_STS_SRC})
143+
list(APPEND AWS_PUBLIC_INCLUDES "${AWS_SDK_STS_DIR}/include/")
144+
list(APPEND AWS_PUBLIC_INCLUDES "${AWS_SDK_COGNITO_IDENTITY_DIR}/include/")
129145

130146
# aws-cpp-sdk-s3
131147
file(GLOB AWS_SDK_S3_SRC

src/IO/S3/Client.cpp

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@
1212
#include <aws/core/endpoint/EndpointParameter.h>
1313
#include <aws/core/utils/HashingUtils.h>
1414
#include <aws/core/utils/logging/ErrorMacros.h>
15+
#include <aws/sts/STSClient.h>
16+
#include <aws/identity-management/auth/STSAssumeRoleCredentialsProvider.h>
1517

1618
#include <Poco/Net/NetException.h>
1719

@@ -885,11 +887,25 @@ std::unique_ptr<S3::Client> ClientFactory::create( // NOLINT
885887
client_configuration.extra_headers = std::move(headers);
886888

887889
Aws::Auth::AWSCredentials credentials(access_key_id, secret_access_key, session_token);
888-
auto credentials_provider = std::make_shared<S3CredentialsProviderChain>(
890+
std::shared_ptr<Aws::Auth::AWSCredentialsProvider> credentials_provider = std::make_shared<S3CredentialsProviderChain>(
889891
client_configuration,
890892
std::move(credentials),
891893
credentials_configuration);
892894

895+
if (!credentials_configuration.role_arn.empty())
896+
{
897+
// why set to empty? because client_configuration's endpointOverride is pointed to a s3 endpoint, whereas we
898+
// expect are going to visit a sts endpoint.
899+
client_configuration.endpointOverride = "";
900+
const auto x = std::make_shared<Aws::STS::STSClient>(credentials_provider, client_configuration);
901+
credentials_provider = std::make_shared<Aws::Auth::STSAssumeRoleCredentialsProvider>(
902+
credentials_configuration.role_arn,
903+
credentials_configuration.session_name,
904+
credentials_configuration.external_id,
905+
Aws::Auth::DEFAULT_CREDS_LOAD_FREQ_SECONDS,
906+
x);
907+
}
908+
893909
client_configuration.retryStrategy = std::make_shared<Client::RetryStrategy>(client_configuration.s3_retry_attempts);
894910

895911
return Client::create(

src/IO/S3/Credentials.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,11 @@ struct CredentialsConfiguration
176176
bool use_insecure_imds_request = false;
177177
uint64_t expiration_window_seconds = DEFAULT_EXPIRATION_WINDOW_SECONDS;
178178
bool no_sign_request = false;
179+
180+
// STS Assume Role related
181+
std::string role_arn = "";
182+
std::string session_name = "";
183+
std::string external_id = "";
179184
};
180185

181186
class S3CredentialsProviderChain : public Aws::Auth::AWSCredentialsProviderChain

0 commit comments

Comments
 (0)