Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRIVERS-2585 Use AWS Secrets Manager for AWS-Related Test Secrets #334

Merged
merged 7 commits into from
Aug 8, 2023
Merged

DRIVERS-2585 Use AWS Secrets Manager for AWS-Related Test Secrets #334

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a976822
DRIVERS-2585 Use AWS Secrets Manager for AWS-Related Test Secrets
NoahStapp Aug 2, 2023
612c1ae
Testing
NoahStapp Aug 2, 2023
01d08cf
Cleanup
NoahStapp Aug 3, 2023
f46780c
Update gitignore
NoahStapp Aug 4, 2023
184e238
Allow local AWS creds
NoahStapp Aug 7, 2023
c946263
Use argparse + cleanup
NoahStapp Aug 8, 2023
9a84c4b
Ensure secrets are not printed
NoahStapp Aug 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 83 additions & 0 deletions .evergreen/auth_aws/setup_secrets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
#!/usr/bin/env python3
"""
Script for fetching AWS Secrets Vault secrets for use in testing.
"""
import argparse
import json
blink1073 marked this conversation as resolved.
Show resolved Hide resolved
import os
import yaml
import boto3


def get_secrets(vaults, region="us-east-1", profile="default"):
"""Get the driver secret values."""
# Handle local credentials.
try:
session = boto3.Session(profile_name=profile)
client = session.client(service_name='secretsmanager', region_name=region)
except Exception:
print("Failed to connect using AWS credentials, trying with environment variables")
if "AWS_SESSION_TOKEN" not in os.environ:
if "AWS_ROLE_ARN" in os.environ:
session = boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'], aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'])
client = session.client(service_name='sts', region_name=region)
creds = client.assume_role(RoleArn=os.environ['AWS_ROLE_ARN'], RoleSessionName='test')['Credentials']
os.environ['AWS_ACCESS_KEY_ID'] = creds['AccessKeyId']
os.environ['AWS_SECRET_ACCESS_KEY'] = creds['SecretAccessKey']
os.environ['AWS_SESSION_TOKEN'] = creds['SessionToken']
else:
raise ValueError('Missing AWS credentials')

# Create a session using the given creds
session = boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'], aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'], aws_session_token=os.environ['AWS_SESSION_TOKEN'])
client = session.client(service_name='secretsmanager', region_name=region)

secrets = []
try:
for vault in vaults:
secrets.append(client.get_secret_value(
SecretId=vault
)['SecretString'])
except Exception as e:
# For a list of exceptions thrown, see
# https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
raise e

# Decrypts secret using the associated KMS key.
return [json.loads(s) for s in secrets]


def write_secrets(vaults, region, profile):
pairs = {}
secrets = get_secrets(vaults, region, profile)
for secret in secrets:
for key, val in secret.items():
pairs[key.upper()] = val

with open("secrets-expansion.yml", "w") as yaml_out:
yaml.dump(pairs, yaml_out, default_flow_style=False, allow_unicode=True, default_style='"')

with open("secrets-export.sh", "w") as out:
out.write("#!/usr/bin/env bash" + "\n\n")
for key, val in pairs.items():
blink1073 marked this conversation as resolved.
Show resolved Hide resolved
out.write("export " + key + "=" + "\"" + val + "\"\n")


def main():
parser = argparse.ArgumentParser(description='MongoDB AWS Secrets Vault fetcher. If connecting with the given AWS '
'profile fails, will attempt to use local environment variables '
'instead.')

parser.add_argument("-p", "--profile", type=str, metavar="profile", help="a local AWS profile to use credentials "
blink1073 marked this conversation as resolved.
Show resolved Hide resolved
"from. Defaults to \"default\".")
parser.add_argument("-r", "--region", type=str, metavar="region",
help="the AWS region containing the given vaults. Defaults to \"us-east-1\".")
parser.add_argument("vaults", metavar="V", type=str, nargs="+", help="a vault to fetch secrets from")

args = parser.parse_args()

write_secrets(args.vaults, args.region, args.profile)


if __name__ == '__main__':
main()
2 changes: 1 addition & 1 deletion .evergreen/auth_oidc/oidc_get_tokens.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ def main():
'rsa_key': secrets['oidc_rsa_key'],
'audience': DEFAULT_CLIENT,
'client_id': DEFAULT_CLIENT,
'client_secret':secrets['oidc_client_secret'],
'client_secret': secrets['oidc_client_secret'],
'username': 'test_user1',
'token_file': os.path.join(token_dir, 'test_user1')
}
Expand Down
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,5 @@ lb-expansion.yml
.DS_Store
*.log
orchestration.config
secrets-expansion.yml
secrets-export.sh
Loading