PYTHON-3942 Enable AzureKMS through AWS Secrets Manager (#354)

* PYTHON-3942 Enable AzureKMS through AWS Secrets Manager * fix syntax * fix echo handling * fix private key handling * debug * try without IFS * try again * try without IFS * try with printf * fix printf * remove debug print * Remove scope * fix role deletion * try fixing delete role * fix syntax * handle unbound variable * fix role deletion
mongodb-labs · Oct 2, 2023 · 6efbfb7 · 6efbfb7
1 parent c5d4fd9
commit 6efbfb7
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 27 deletions.
diff --git a/.evergreen/auth_aws/setup_secrets.py b/.evergreen/auth_aws/setup_secrets.py
@@ -6,19 +6,34 @@
 import json
 import os
 import sys
+import uuid
 
 import boto3
 import botocore.exceptions
 
+AWS_ROLE_ARN = "arn:aws:iam::857654397073:role/drivers-test-secrets-role"
 
 def get_secrets(vaults, region, profile):
     """Get the driver secret values."""
     # Handle local credentials.
     profile = profile or os.environ.get("AWS_PROFILE")
+    kwargs = dict(region_name=region)
     if "AWS_ACCESS_KEY_ID" not in os.environ and not profile:
-        raise ValueError("Please provide a profile (typically using AWS_PROFILE)")
-    session = boto3.Session(profile_name=profile)
-    client = session.client(service_name='secretsmanager', region_name=region)
+        session = boto3.Session(profile_name=profile)
+        client = session.client(service_name='sts', **kwargs)
+        try:
+            # This will only fail locally.
+            resp = client.assume_role(RoleArn=AWS_ROLE_ARN, RoleSessionName=str(uuid.uuid4()))
+        except Exception as e:
+            print(e)
+            raise ValueError("Please provide a profile (typically using AWS_PROFILE)")
+
+        creds = resp['Credentials']
+        kwargs.update(aws_access_key_id=creds['AccessKeyId'],
+                    aws_secret_access_key=creds['SecretAccessKey'],
+                    aws_session_token=creds['SessionToken'])
+
+    client = session.client(service_name='secretsmanager', **kwargs)
 
     secrets = []
     try:

diff --git a/.evergreen/auth_aws/setup_secrets.sh b/.evergreen/auth_aws/setup_secrets.sh
@@ -7,6 +7,6 @@ HERE=$(dirname $0)
 pushd $HERE
 . ./activate-authawsvenv.sh
 popd
-echo "Getting secrets: $@"
-python $HERE/setup_secrets.py $@
+echo "Getting secrets:" "$@"
+python $HERE/setup_secrets.py "$@"
 echo "Got secrets"
diff --git a/.evergreen/csfle/azurekms/create-and-setup-vm.sh b/.evergreen/csfle/azurekms/create-and-setup-vm.sh
@@ -3,27 +3,34 @@ set -o errexit
 set -o pipefail
 set -o nounset
 
-if [ -z "${AZUREKMS_VMNAME_PREFIX:-}" ] || \
-   [ -z "${AZUREKMS_CLIENTID:-}" ] || \
-   [ -z "${AZUREKMS_TENANTID:-}" ] || \
-   [ -z "${AZUREKMS_SECRET:-}" ] || \
-   [ -z "${AZUREKMS_DRIVERS_TOOLS:-}" ] || \
-   [ -z "${AZUREKMS_RESOURCEGROUP:-}" ] || \
-   [ -z "${AZUREKMS_PUBLICKEYPATH:-}" ] || \
-   [ -z "${AZUREKMS_PRIVATEKEYPATH:-}" ] || \
-   [ -z "${AZUREKMS_SCOPE:-}" ]; then
-    echo "Please set the following required environment variables"
-    echo " AZUREKMS_VMNAME_PREFIX to an identifier string no spaces (e.g. CDRIVER)"
-    echo " AZUREKMS_CLIENTID"
-    echo " AZUREKMS_TENANTID"
-    echo " AZUREKMS_SECRET"
-    echo " AZUREKMS_DRIVERS_TOOLS"
-    echo " AZUREKMS_PUBLICKEYPATH"
-    echo " AZUREKMS_PRIVATEKEYPATH"
-    echo " AZUREKMS_SCOPE"
-    exit 1
+AZUREKMS_DRIVERS_TOOLS=${AZUREKMS_DRIVERS_TOOLS:-$DRIVERS_TOOLS}
+
+if [ -n "${AZUREKMS_PUBLICKEY:-}" ]; then
+    echo "${AZUREKMS_PUBLICKEY}" > /tmp/testazurekms_publickey
+    printf -- "${AZUREKMS_PRIVATEKEY}" > /tmp/testazurekms_privatekey
+    # Set 600 permissions on private key file. Otherwise ssh / scp may error with permissions "are too open".
+    chmod 600 /tmp/testazurekms_privatekey
+    export AZUREKMS_PUBLICKEYPATH="/tmp/testazurekms_publickey"
+    export AZUREKMS_PRIVATEKEYPATH="/tmp/testazurekms_privatekey"
 fi
 
+VARLIST=(
+AZUREKMS_VMNAME_PREFIX
+AZUREKMS_CLIENTID
+AZUREKMS_TENANTID
+AZUREKMS_SECRET
+AZUREKMS_RESOURCEGROUP
+AZUREKMS_PUBLICKEYPATH
+AZUREKMS_PRIVATEKEYPATH
+AZUREKMS_SCOPE
+)
+
+# Ensure that all variables required to run the test are set, otherwise throw
+# an error.
+for VARNAME in ${VARLIST[*]}; do
+[[ -z "${!VARNAME}" ]] && echo "ERROR: $VARNAME not set" && exit 1;
+done
+
 # Set defaults.
 export AZUREKMS_IMAGE=${AZUREKMS_IMAGE:-"Debian:debian-11:11:0.20221020.1174"}
 
@@ -45,7 +52,12 @@ fi
 # Create VM.
 . "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/create-vm.sh
 export AZUREKMS_VMNAME="$AZUREKMS_VMNAME"
-echo "AZUREKMS_VMNAME: $AZUREKMS_VMNAME" > testazurekms-expansions.yml
+# Store items needed for teardown.
+cat <<EOT > testazurekms-expansions.yml
+AZUREKMS_VMNAME: $AZUREKMS_VMNAME
+AZUREKMS_RESOURCEGROUP: $AZUREKMS_RESOURCEGROUP
+AZUREKMS_SCOPE: $AZUREKMS_SCOPE
+EOT
 # Assign role.
 "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/assign-role.sh
 # Install dependencies.
@@ -59,4 +71,4 @@ AZUREKMS_SRC="$AZUREKMS_DRIVERS_TOOLS/.evergreen/csfle/azurekms/remote-scripts/s
 AZUREKMS_DST="./" \
     "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh
 AZUREKMS_CMD="./start-mongodb.sh" \
-    "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh
+    "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh
diff --git a/.evergreen/csfle/azurekms/delete-vm.sh b/.evergreen/csfle/azurekms/delete-vm.sh
@@ -12,6 +12,18 @@ if [ -z "${AZUREKMS_RESOURCEGROUP:-}" ] || \
     exit 1
 fi
 
+if [ -n "${AZUREKMS_SCOPE:-}" ]; then
+    echo "Deleting the role from the Virtual Machine $AZUREKMS_VMNAME ... begin"
+    PRINCIPAL_ID=$(az vm show --show-details --resource-group "$AZUREKMS_RESOURCEGROUP" --name "$AZUREKMS_VMNAME" --query identity.principalId -o tsv)
+    az role assignment delete \
+        --assignee "$PRINCIPAL_ID" \
+        --role "Key Vault Crypto User" \
+        --scope "$AZUREKMS_SCOPE" \
+        -y \
+        >/dev/null
+    echo "Deleting the role from the Virtual Machine $AZUREKMS_VMNAME ... end"
+fi
+
 echo "Deleting Virtual Machine $AZUREKMS_VMNAME ... begin"
 az vm delete \
     --resource-group "$AZUREKMS_RESOURCEGROUP" \

diff --git a/.evergreen/make-docs.sh b/.evergreen/make-docs.sh
@@ -5,7 +5,7 @@ set -o errexit  # Exit the script with error if any of the commands fail
 mkdir -p doc/html || true
 
 
-cat <<EOT > doc/html/index.html > doc/html/intro.html
+cat <<EOT > doc/html/index.html doc/html/intro.html
 <html>
 <body>
 <ul>