[AWS] Use credentials and config from AWS SDK file

[aitorarjona]

Fix for #1107

This pull request adds functionality to retrieve AWS SDK config and credentials from the standard config file (~/.aws/config and ~/.aws/credentials) or env vars (more info).

Consequently, it deprecates using aws_access_key_id and aws_secret_access_key in aws Lithops config section.

This approach is not only more secure, as we avoid sending secrets to the runtime via payload, but also we support users with SSO-based accounts, which will need configure a profile in their ~/.aws/config file and retrieve their session credentials dynamically. E.g.:

[profile my-sso-profile]
sso_start_url = https://XXXXXXXX.awsapps.com/start
sso_region = us-east-1
sso_account_id = XXXXXXXXXXX
sso_role_name = XXXXXXXXXXXXXXXXX
region = us-east-1

Summary:

• Added new parameter in AWS config: config_profile.

Developer's Certificate of Origin 1.1

   By making a contribution to this project, I certify that:

   (a) The contribution was created in whole or in part by me and I
       have the right to submit it under the Apache License 2.0; or

   (b) The contribution is based upon previous work that, to the best
       of my knowledge, is covered under an appropriate open source
       license and I have the right under that license to submit that
       work with modifications, whether created in whole or in part
       by me, under the same open source license (unless I am
       permitted to submit under a different license), as indicated
       in the file; or

   (c) The contribution was provided directly to me by some other
       person who certified (a), (b) or (c) and I have not modified
       it.

   (d) I understand and agree that this project and the contribution
       are public and that a record of the contribution (including all
       personal information I submit with it, including my sign-off) is
       maintained indefinitely and may be redistributed consistent with
       this project or the open source license(s) involved.

[aitorarjona]

@JosepSampe please don't merge yet

[aitorarjona]

@JosepSampe ready for review and merge

[JosepSampe]

Is there any particular reason to, instead of copying the aws keys inside aws_lambda, create another level of configuration inside aws_lambda and put aws section inside aws_lambda section? I think this new approach will breake a functionality explained below.

[aitorarjona]

Yes, the idea was to remove the "aws" section altogether when clients are created. Reverted

[JosepSampe]

Is there any particular reason to deprecate access_key_id secret_access_key? IMO we should keep it as an option

[aitorarjona]

Removed the deprecation notice but kept the warning

[JosepSampe]

If I remember correctly, this line is necessary for accessing public buckets when no s3 config is provided in the lithops config

[aitorarjona]

For now I will keep the default client as is, so that it can get credentials from the AWS role in the lambda runtime. If any user needs unsigned requests, it should explicitly create an s3 client or specify it in the s3 config

[JosepSampe]

We have an app that is analyzing an AWS S3 public bucket, where the client is automatically created by lithops because we put in iterdata a bucket address, like in this example but for AWS S3, so we should find a way to keep this unsigned flag in the case that a user does not have credentials at all in his machine. If the user has credentials in his machine, the unsigned flag is not necessary.

[JosepSampe]

Previously, these lines where used to propagate the region from the aws_lambda section to the aws section, and later to aws_s3, in that case where someone puts a region in aws_lambda, but not inaws and aws_s3, this way the s3 backend would use the same region as the lambda backend. I think this new approach will break this propagation.

[aitorarjona]

Hi Josep, now I understand... I'll add some comments to the code to explain this. What I was thinking is that all AWS configuration should be inherited from the standard AWS SDK ways, but I understand that is also important to enforce users deploy lambdas and buckets in the same region to avoid data transfer costs. In this case, the safest option is require to specifiy the "region" parameter the "aws" section, regardless of the AWS SDK config, and not have it repeated in "aws_s3" or "aws_lambda"?

[JosepSampe]

I tested these particular lines, and in my case the caller_id["UserId"] does not contain :, so it fails. My UserID looks like: {'UserId': 'XIPOZEKLFKWLQSXXX7587', ...}

[aitorarjona]

Fixed

[JosepSampe]

Same comments as in the lambda backend

[JosepSampe]

Same comments as in the lambda backend

[JosepSampe]

The reason of this roundtrip is to make sure that the most specific config is always applied. For example, if you set region both in aws and aws_lamda, the aws_lamda region must be applied. I don't know if there is a better way to make sure the most specific config is applied and not overwritten by the .update(), but by commenting those 2 lines, if you have a region set in your aws section of the config, for example us-east1, and then you do this in your code: fexec = lithops.FunctionExecutor(region="eu-west2"), the us-east1 region will always overwrite the region you explicitly set in the function executor.

[JosepSampe]

We have an app that is analyzing an AWS S3 public bucket, where the client is automatically created by lithops because we put in iterdata a bucket address, like in this example but for AWS S3, so we should find a way to keep this unsigned flag in the case that a user does not have credentials at all in his machine. If the user has credentials in his machine, the unsigned flag is not necessary.

[aitorarjona]

@JosepSampe Hi Josep, all requests have been implemented. Please we should need this merged ASAP, we switched to an SSO-based account and the current implementation in main does not work well (and also to be ready for the next release #1137 ). Thanks!

[JosepSampe]

What if region is set using options 1 (~/.aws/config) or 2 (env var)? Or is region mandatory in any case in the lithops config like in the documentation?

lithops:
    backend: aws_lambda

aws_lambda:
    execution_role: <EXECUTION_ROLE_ARN>
    region: <REGION_NAME>

[aitorarjona]

Yes, I think we still need the region name for this or this. In any case, the region from the Lithops config would override the region stated in the aws config.

[JosepSampe]

No need for any warning for now. We still have to decide whether we want to deprecate it or not

[JosepSampe]

I can't add comments in unmodifed code, but:
In lines 42-43: if in options 1 and 2 region is not mandatory, this should be fixed.
Now lithops supports the automatic creation of the storage bucket if it is not provided in the config. So lines 45-48 should be fixed.

[aitorarjona]

Now lithops supports the automatic creation of the storage bucket if it is not provided in the config. So lines 45-48 should be fixed.

Not sure how to proceed with this... With the SSO approach, we don't have a "fixed" key or ID to read from, contrary to the key pair approach.

[JosepSampe]

Is the S3 instance shared between all the users in the SSO approach?
Or each SSO user has its own instance ?
Or the same insytance but s/he can only see his own buckets?

I wonder if we can simply use the config_profile name (or a hash of it) for the bucket name

[aitorarjona]

Multiple SSO users can access to a same account and share buckets, but each one will have a different profile name. Yes, using config profile is viable 👍

[JosepSampe]

No need for any warning for now. We still have to decide whether we want to deprecate it or not

[JosepSampe]

No need for any warning for now. We still have to decide whether we want to deprecate it or not

[JosepSampe]

Is the execution_role mandatory in aws_lambda? if yes I would update this .md file and include it in all the parts where you put some lithops config example, to make it clearer. Is region mandatory in all the cases? I think this lithops config example is confusing here. I would remove it and put the config example in the next section, when necessary, with all the necessary parameters.

[aitorarjona]

Yes, execution_role is mandatory. The user must specify which services can the lambda access to. We could automate this, but the user should have IAM permissions like create role... We can leave like this for now

[JosepSampe]

Is it necessary/convenient here to remove the session_token too?
I think here you can simply pop the keys instead of checking one by one if they exists

payload["config"]["aws"].pop("access_key_id", None)
payload["config"]["aws"].pop("secret_access_key", None)
payload["config"]["aws"].pop("session_token", None)

[JosepSampe]

My last comments are about the 2 other AWS backend (Batch & EC2).

• Does the changes made here in the way to configure aws affect to those backends?
• Is it convenient to copy the changes made in the Lambda docs to the docs of Batch & EC2?
• In order to adapt the Batch & EC2 backends, is it as simple as copy the relevant code in the __init__ of the Lambda backend to the other 2 backends?

[JosepSampe]

Is the option of AWS_ACCESS_KEY_ID in the env missing here?

[JosepSampe]

How the ~/.aws/config looks like in this case? are the keys going into a default profile by defaut? or are the keys set in the file without a profile?

I mean, after calling aws configure, you get this:?

aws_access_key_id=XXXXXXXXX
aws_secret_access_key=XXXXXX

or something like this:?

[profile default]
aws_access_key_id=XXXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXXXXXX

[JosepSampe]

I wonder if in this case it makes sense to force the user to provide a profile_name with aws configure --profile my-unique-profile-name and then configure lithops like in the SSO approach, with:

lithops:
    backend: aws_lambda

aws:
    config_profile: my-unique-profile-name

aws_lambda:
    execution_role: <EXECUTION_ROLE_ARN>
    region: <REGION_NAME>

[JosepSampe]

Maybe in this option you can put a config example (and maybe remove AWS_DEFAULT_REGION?):

lithops:
    backend: aws_lambda

aws_lambda:
    execution_role: <EXECUTION_ROLE_ARN>
    region: <REGION_NAME>

[aitorarjona]

Closing for now, #1164 partially solves the issue described