Skip to content

Commit

Permalink
support role temporary credential in connector tutorial (#3058)
Browse files Browse the repository at this point in the history
Signed-off-by: Yaliang Wu <ylwu@amazon.com>
  • Loading branch information
ylwu-amzn authored Oct 9, 2024
1 parent 48d275d commit 75d454e
Showing 1 changed file with 59 additions and 22 deletions.
81 changes: 59 additions & 22 deletions docs/tutorials/aws/AIConnectorHelper.ipynb
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,13 @@
"# This Python code is compatible with AWS OpenSearch versions 2.9 and higher.\n",
"class AIConnectorHelper:\n",
" \n",
" def __init__(self, region, opensearch_domain_name, opensearch_domain_username, opensearch_domain_password, aws_user_name):\n",
" def __init__(self, region, opensearch_domain_name, opensearch_domain_username, opensearch_domain_password, aws_user_name, aws_role_name):\n",
" self.region = region\n",
" self.opensearch_domain_url, self.opensearch_domain_arn = AIConnectorHelper.get_opensearch_domain_info(region, opensearch_domain_name)\n",
" self.opensearch_domain_username = opensearch_domain_username\n",
" self.opensearch_domain_opensearch_domain_password = opensearch_domain_password\n",
" self.aws_user_name = aws_user_name\n",
" self.aws_role_name = aws_role_name\n",
" \n",
" @staticmethod \n",
" def get_opensearch_domain_info(region, domain_name):\n",
Expand All @@ -46,6 +47,8 @@
" return None, None\n",
" \n",
" def get_user_arn(self, username):\n",
" if not username:\n",
" return None\n",
" # Create a boto3 client for IAM\n",
" iam_client = boto3.client('iam')\n",
"\n",
Expand Down Expand Up @@ -172,6 +175,8 @@
" return None\n",
"\n",
" def get_role_arn(self, role_name):\n",
" if not role_name:\n",
" return None\n",
" iam_client = boto3.client('iam')\n",
" try:\n",
" response = iam_client.get_role(RoleName=role_name)\n",
Expand Down Expand Up @@ -374,7 +379,7 @@
" \"Statement\": [\n",
" {\n",
" \"Action\": [\n",
" \"secretsmanager:GetSecretValue\"\n",
" \"secretsmanager:GetSecretValue\",\n",
" \"secretsmanager:DescribeSecret\"\n",
" ],\n",
" \"Effect\": \"Allow\",\n",
Expand All @@ -395,17 +400,27 @@
" # Step 3: Configure IAM role in OpenSearch\n",
" # 3.1 Create IAM role for Signing create connector request\n",
" user_arn = self.get_user_arn(self.aws_user_name)\n",
" role_arn = self.get_role_arn(self.aws_role_name)\n",
" statements = []\n",
" if user_arn:\n",
" statements.append({\n",
" \"Effect\": \"Allow\",\n",
" \"Principal\": {\n",
" \"AWS\": user_arn\n",
" },\n",
" \"Action\": \"sts:AssumeRole\"\n",
" })\n",
" if role_arn:\n",
" statements.append({\n",
" \"Effect\": \"Allow\",\n",
" \"Principal\": {\n",
" \"AWS\": role_arn\n",
" },\n",
" \"Action\": \"sts:AssumeRole\"\n",
" })\n",
" trust_policy = {\n",
" \"Version\": \"2012-10-17\",\n",
" \"Statement\": [\n",
" {\n",
" \"Effect\": \"Allow\",\n",
" \"Principal\": {\n",
" \"AWS\": user_arn\n",
" },\n",
" \"Action\": \"sts:AssumeRole\"\n",
" }\n",
" ]\n",
" \"Statement\": statements\n",
" }\n",
"\n",
" inline_policy = {\n",
Expand Down Expand Up @@ -486,17 +501,27 @@
" # Step 2: Configure IAM role in OpenSearch\n",
" # 2.1 Create IAM role for Signing create connector request\n",
" user_arn = self.get_user_arn(self.aws_user_name)\n",
" role_arn = self.get_role_arn(self.aws_role_name)\n",
" statements = []\n",
" if user_arn:\n",
" statements.append({\n",
" \"Effect\": \"Allow\",\n",
" \"Principal\": {\n",
" \"AWS\": user_arn\n",
" },\n",
" \"Action\": \"sts:AssumeRole\"\n",
" })\n",
" if role_arn:\n",
" statements.append({\n",
" \"Effect\": \"Allow\",\n",
" \"Principal\": {\n",
" \"AWS\": role_arn\n",
" },\n",
" \"Action\": \"sts:AssumeRole\"\n",
" })\n",
" trust_policy = {\n",
" \"Version\": \"2012-10-17\",\n",
" \"Statement\": [\n",
" {\n",
" \"Effect\": \"Allow\",\n",
" \"Principal\": {\n",
" \"AWS\": user_arn\n",
" },\n",
" \"Action\": \"sts:AssumeRole\"\n",
" }\n",
" ]\n",
" \"Statement\": statements\n",
" }\n",
"\n",
" inline_policy = {\n",
Expand Down Expand Up @@ -571,20 +596,32 @@
"opensearch_domain_password = '...' # set your domain password\n",
"\n",
"aws_user_name = '...' # set your AWS IAM user name, not IAM user ARN. \n",
" # To avoid permission issue and quick start, you can use user whith AdministratorAccess policy\n",
" # To avoid permission issue and quick start, you can use user with AdministratorAccess policy\n",
" # Configure this user's access key and secret key in ~/.aws/credential \n",
" # You can configure ~/.aws/credential as:\n",
"'''\n",
"[default]\n",
"AWS_ACCESS_KEY_ID = YOUR_ACCESS_KEY_ID\n",
"AWS_SECRET_ACCESS_KEY = YOUR_SECRET_ACCESS_KEY\n",
"'''\n",
"aws_role_name = '...' # set your AWS IAM role name, not IAM role ARN.\n",
" # To avoid permission issue and quick start, you can use role with AdministratorAccess policy\n",
" # You can configure role temporary credential in ~/.aws/credential as:\n",
"'''\n",
"[default]\n",
"AWS_ACCESS_KEY_ID = YOUR_ACCESS_KEY_ID\n",
"AWS_SECRET_ACCESS_KEY = YOUR_SECRET_ACCESS_KEY\n",
"AWS_SESSION_TOKEN = YOUR_AWS_SESSION_TOKEN\n",
"'''\n",
"# You must set either aws_user_name or aws_role_name. \n",
"# You can set the one which you don't need as None. For example aws_role_name=None\n",
"\n",
"helper = AIConnectorHelper(region, \n",
" opensearch_domain_name, \n",
" opensearch_domain_username, \n",
" opensearch_domain_password, \n",
" aws_user_name)"
" aws_user_name,\n",
" aws_role_name)"
]
},
{
Expand Down

0 comments on commit 75d454e

Please sign in to comment.