Skip to content

Update SQL CLI to use AWS session token. #918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joshuali925 merged 2 commits into from
Oct 19, 2022
Merged

Update SQL CLI to use AWS session token. #918

joshuali925 merged 2 commits into from
Oct 19, 2022

Conversation

@Yury-Fridlyand
Copy link
Collaborator

@Yury-Fridlyand Yury-Fridlyand commented Oct 15, 2022

Signed-off-by: Yury-Fridlyand [email protected]

Description

How to test:

Prepare

1. Create a cluster in the cloud and configure AWS_SIGv4 authentication for it

2. Create authentication key pair - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - that is your permanent keys

3. Install AWSCLI:

sudo apt-get install awscli
or
brew install awscli
if this doesn't work, try
pip3 install --upgrade awscli

4. Configure it

awscli configure
or if you installed it using pip
python3 -m awscli configure
Enter your access key, secret key and region

5. Get the token

Run
awscli sts get-session-token
the output is like

{
    "Credentials": {
        "AccessKeyId": "...",
        "SecretAccessKey": "...",
        "SessionToken": "...",
        "Expiration": "2022-10-15T04:31:24Z"
    }
}

Record your temporary keys and session token.

6. Checkout my branch

7. Configure environment

Follow the guide https://github.com/opensearch-project/sql/blob/2.x/sql-cli/development_guide.md#development-environment-set-up

Test 1.

1. Check credentials

Ensure that ~/.aws/credentials contains default profile with your permanent keys, no session token yet there.

2. Run SQL CLI

opensearchsql --aws-auth https://<cluster>:443

Test 2.

1. Record your new credentials

Run
awscli configure
and enter your temporary access and secret keys, or edit ~/.aws/credentials manually, replace your permanent keys by temporary ones

2. Add session_token

Add line
aws_session_token = ...
to ~/.aws/credentials

3. Verify session token authentication

awscli es list-domain-names

4. Run SQL CLI

opensearchsql --aws-auth https://<cluster>:443

Test 3.

1. Unset credentials

Comment out (#) or delete all lines in ~/.aws/credentials or move/delete the file

2. Set credentials in env vars

run

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...

with your permanent keys

3. Run SQL CLI

opensearchsql --aws-auth https://<cluster>:443

Test 4.

1. Unset credentials

Comment out (#) or delete all lines in ~/.aws/credentials or move/delete the file

2. Set credentials in env vars

run

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

with your temporary keys and session token

3. Run SQL CLI

opensearchsql --aws-auth https://<cluster>:443

Notes

  1. In case if you have different credentials set in ~/.aws/credentials and in env vars, last one is used.
  2. default profile is used only.

Limitations

No option yet to specify profile, keys and token in command line. That is easy to add.

Issues Resolved

fixes #854

Check List

  • New functionality includes testing.
    • All tests pass, including unit test, integration test and doctest
  • New functionality has been documented.
    • New functionality has javadoc added
    • New functionality has user manual doc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@Yury-Fridlyand
Update SQL CLI to use AWS session token.
695fd52 
Signed-off-by: Yury-Fridlyand <[email protected]>
@Yury-Fridlyand
Typo fix.
5c9f976 
Signed-off-by: Yury-Fridlyand <[email protected]>
@Yury-Fridlyand Yury-Fridlyand requested a review from a team as a code owner October 15, 2022 02:03
@codecov-commenter
Copy link

codecov-commenter commented Oct 15, 2022
edited
Loading

Codecov Report

Merging #918 (5c9f976) into 2.x (b30d156) will decrease coverage by 2.80%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##                2.x     #918      +/-   ##
============================================
- Coverage     97.90%   95.10%   -2.81%     
  Complexity     3072     3072              
============================================
  Files           293      303      +10     
  Lines          7588     8246     +658     
  Branches        490      609     +119     
============================================
+ Hits           7429     7842     +413     
- Misses          158      350     +192     
- Partials          1       54      +53
Flag Coverage Δ
query-workbench 62.76% <ø> (?)
sql-engine 97.90% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
workbench/public/components/PPLPage/PPLPage.tsx 56.52% <0.00%> (ø)
workbench/public/application.tsx 0.00% <0.00%> (ø)
...ch/public/components/QueryResults/QueryResults.tsx 61.60% <0.00%> (ø)
workbench/public/components/SQLPage/SQLPage.tsx 100.00% <0.00%> (ø)
...ublic/components/QueryResults/QueryResultsBody.tsx 68.32% <0.00%> (ø)
workbench/public/components/Main/main.tsx 53.00% <0.00%> (ø)
workbench/public/components/Header/Header.tsx 100.00% <0.00%> (ø)
workbench/public/utils/PanelWrapper.tsx 100.00% <0.00%> (ø)
workbench/public/components/app.tsx 0.00% <0.00%> (ø)
...h/public/components/QueryLanguageSwitch/Switch.tsx 85.71% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@dai-chen dai-chen added CLI enhancement New feature or request labels Oct 17, 2022
@acarbonetto acarbonetto mentioned this pull request Oct 17, 2022
Closed
penghuo
penghuo approved these changes Oct 18, 2022
View reviewed changes
Copy link
Collaborator

@penghuo penghuo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the change!

acarbonetto
acarbonetto approved these changes Oct 18, 2022
View reviewed changes
Copy link
Collaborator

@acarbonetto acarbonetto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joshuali925 joshuali925 merged commit fec1a0c into opensearch-project:2.x Oct 19, 2022
@Yury-Fridlyand Yury-Fridlyand deleted the dev-cli-to-use-aws-session-token branch October 19, 2022 21:05
@penghuo penghuo mentioned this pull request Nov 3, 2022
Merged
6 tasks
@YANG-DB YANG-DB mentioned this pull request Dec 15, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@penghuo penghuo penghuo approved these changes

@MaxKsyunz MaxKsyunz MaxKsyunz approved these changes

@acarbonetto acarbonetto acarbonetto approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Support session token in OpenSearch SQL CLI

7 participants

@Yury-Fridlyand @codecov-commenter @penghuo @MaxKsyunz @acarbonetto @joshuali925 @dai-chen