diff --git a/.secrets.baseline b/.secrets.baseline index cd416b7..2756032 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -221,6 +221,26 @@ "is_secret": false } ], + "terraform/terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json": [ + { + "type": "AWS Sensitive Information (Experimental Plugin)", + "filename": "terraform/terraform-modules/ecs-ecr/ecs_task_execution_role_iam_policy.json", + "hashed_secret": "9ad897024d8c36c541d7fe84084c4e9f4df00b2a", + "is_verified": false, + "line_number": 11, + "is_secret": false + } + ], + "terraform/terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json": [ + { + "type": "AWS Sensitive Information (Experimental Plugin)", + "filename": "terraform/terraform-modules/ecs-ecr/ecs_task_role_iam_policy.json", + "hashed_secret": "9ad897024d8c36c541d7fe84084c4e9f4df00b2a", + "is_verified": false, + "line_number": 11, + "is_secret": false + } + ], "terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json": [ { "type": "AWS Sensitive Information (Experimental Plugin)", @@ -251,6 +271,16 @@ "is_secret": false } ], + "terraform/terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json": [ + { + "type": "AWS Sensitive Information (Experimental Plugin)", + "filename": "terraform/terraform-modules/mwaa-env/mwaa_execution_role_iam_policy.json", + "hashed_secret": "9ad897024d8c36c541d7fe84084c4e9f4df00b2a", + "is_verified": false, + "line_number": 8, + "is_secret": false + } + ], "terraform/terraform-modules/mwaa-env/template_mwaa_execution_role_iam_policy.json": [ { "type": "AWS Sensitive Information (Experimental Plugin)", @@ -261,6 +291,16 @@ "is_secret": false } ], + "terraform/terraform-modules/product-copy-completion-checker/lambda_inline_policy.json": [ + { + "type": "AWS Sensitive Information (Experimental Plugin)", + "filename": "terraform/terraform-modules/product-copy-completion-checker/lambda_inline_policy.json", + "hashed_secret": "9ad897024d8c36c541d7fe84084c4e9f4df00b2a", + "is_verified": false, + "line_number": 11, + "is_secret": false + } + ], "terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf": [ { "type": "AWS Sensitive Information (Experimental Plugin)", @@ -282,5 +322,5 @@ } ] }, - "generated_at": "2024-09-06T02:11:28Z" + "generated_at": "2024-10-03T02:25:24Z" } diff --git a/terraform/README.md b/terraform/README.md index 4fa469e..fdc92e2 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -173,3 +173,41 @@ configured as `mwaa_dag_s3_bucket_name` in the `terraform.tfvars` file. 15. Use the PDS Data Upload Manager (DUM) tool to upload files to pds_nucleus_staging_bucket. + + +## Steps to Access Nucleus Airflow UI With Cognito Credentials + +Only some users have direct access to AWS and those users can access Airflow UI as explained in the step 9 to 12 +in the above section. However, there is another way to access Airflow UI using a Cognito account as follows. + +1. Make sure you have a Cognito user created in the Cognito user pool with required role (Cognito group). The PDS engineering node team can +help with this. + +2. Download the `get-airflow-ui-webtoken.py` python script from https://github.com/NASA-PDS/nucleus/blob/airflow-ui-web-token/utils/get-airflow-ui-webtoken.py + +3. Create a python virtual environment as follows. + +```shell +python3 -m venv venv +``` + +4. Activate python virtual environment. + +```shell +source venv/bin/activate +``` + +5. Install boto3 + +```shell + pip install boto3 +``` + +6. Execute the `get-airflow-ui-webtoken.py` python script and provide the Cognito username and password when prompted. + +```shell +python get-airflow-ui-webtoken.py +``` + +7. Copy the generated Nucleus Airflow UI web token and paste that in a webbrowser address bar to access the Airflow UI. + diff --git a/utils/get-airflow-ui-webtoken.py b/utils/get-airflow-ui-webtoken.py new file mode 100644 index 0000000..e18e2d7 --- /dev/null +++ b/utils/get-airflow-ui-webtoken.py @@ -0,0 +1,121 @@ +# Copyright 2024, California Institute of Technology ("Caltech"). +# U.S. Government sponsorship acknowledged. +# +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions must reproduce the above copyright notice, this list of +# conditions and the following disclaimer in the documentation and/or other +# materials provided with the distribution. +# * Neither the name of Caltech nor its operating division, the Jet Propulsion +# Laboratory, nor the names of its contributors may be used to endorse or +# promote products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +import boto3 +import getpass + +# Set constants + +# Obtain the Cognito identity pool ID from the PDS Engineering Team +IDENTITY_POOL_ID = '' + +# Obtain the AWS Account ID of Nucleus Deployment from the PDS Engineering Team +AWS_ACCOUNT_ID = '' + +# Obtain the Cognito user pool ID from the PDS Engineering Team +COGNITO_USER_POOL_ID = '' + +# Obtain the Cognito Client ID from the PDS Engineering Team +COGNITO_CLIENT_ID = 'COGNITO_CLIENT_ID' + +# AWS Region +REGION = 'us-west-2' + +# Obtain the Nucleus Airflow Environment Name from the PDS Engineering Team +NUCLEUS_AIRFLOW_ENVIRONMENT_NAME = '' + + +# The following code obtains an ID token using the USER_PASSWORD_AUTH auth flow of client_idp.initiate_auth(). +# This code interactively requests for username and password to obtain the ID token. + +# Create Cognito IDP client +client_idp = boto3.client('cognito-idp', region_name=REGION) + +# Promt the user to enter the username and password +username = input('Enter your Cognito username: ') +password = getpass.getpass('Enter your Cognito password: ') +auth_params = { + "USERNAME": username, + "PASSWORD": password +} + +# Get tokens from Cognito +response = client_idp.initiate_auth( + AuthFlow='USER_PASSWORD_AUTH', + AuthParameters=auth_params, + ClientId=COGNITO_CLIENT_ID +) + +# Read ID token +id_token = response['AuthenticationResult']['IdToken'] + +# Create Cognito Identity client +client_identify = boto3.client('cognito-identity', region_name=REGION) + +# Get Identify ID +response_identity_get_id = client_identify.get_id( + AccountId=AWS_ACCOUNT_ID, + IdentityPoolId=IDENTITY_POOL_ID, + Logins={ + 'cognito-idp.us-west-2.amazonaws.com/' + COGNITO_USER_POOL_ID: id_token + } +) +IDENTITY_ID = response_identity_get_id['IdentityId'] + +# Get temporary AWS credentials for the identity +aws_credentials = client_identify.get_credentials_for_identity( + IdentityId=IDENTITY_ID, + Logins={ + 'cognito-idp.us-west-2.amazonaws.com/' + COGNITO_USER_POOL_ID: id_token + } +) + +access_key_id = aws_credentials['Credentials']['AccessKeyId'] +secret_key = aws_credentials['Credentials']['SecretKey'] +session_token = aws_credentials['Credentials']['SessionToken'] + +mwaa = boto3.client( + 'mwaa', + aws_access_key_id=access_key_id, + aws_secret_access_key=secret_key, + aws_session_token=session_token, + region_name=REGION, +) + +response = mwaa.create_web_login_token( + Name=NUCLEUS_AIRFLOW_ENVIRONMENT_NAME +) + +webServerHostName = response["WebServerHostname"] +webToken = response["WebToken"] +airflowUIUrl = 'https://{0}/aws_mwaa/aws-console-sso?login=true#{1}'.format(webServerHostName, webToken) + +print("Here is your Nucleus Airflow UI URL: ") +print(airflowUIUrl)