Introducing SageMaker connection examples using Sig4V and server-generated credentials.

vllyakho · vllyakho · commit 8bdf170d9b9c · 2021-09-28T23:19:59.000-07:00
Grammar/style changes to Readme and notebook text.
diff --git a/SageMaker/connection-service-specific-credentials /README.md b/SageMaker/connection-service-specific-credentials /README.md
@@ -3,54 +3,54 @@
 ## Connecting to Amazon Keyspaces from SageMaker Notebook with Python
 
 
-This code shows how to connect to Amazon Keyspaces from SageMaker using an [service-specific credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html) for an existing AWS Identity and Access Management (IAM) user.
+This code shows how to connect to Amazon Keyspaces from SageMaker using [service-specific credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html).
 
-Service-specific credentials aren’t the only way to authenticate and authorize access to Amazon Keyspaces resources. We recommend using the AWS authentication plugin for Cassandra drivers.
+Service-specific credentials aren’t the only way to authenticate and authorize access to Amazon Keyspaces resources. We recommend using AWS authentication plugin for Cassandra drivers .
 
-The following code is an example of a service-specific credential .
 
-```
-"ServiceSpecificCredential": {
-        "CreateDate": "2019-10-09T16:12:04Z",
-        "ServiceName": "cassandra.amazonaws.com",
-        "ServiceUserName": "keyspace-user1-at-11122223333",
-        "ServicePassword": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
-        "ServiceSpecificCredentialId": "ACCAYFI33SINPGJEBYESF",
-        "UserName": " keyspace-user1",
-        "Status": "Active"
-    }
-}
-```
+### Prerequisites<a name="Prerequisites"></a></a>
+The Notebook execution role must include permissions to access Amazon Keyspaces and [Secret Manager](https://aws.amazon.com/secrets-manager/).
 
+*  To access Amazon Keyspaces database - use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the _least privileged approach_ for your production application.  
+See more at
+[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html).
 
+* To use AWS Secret Manager, the Notebooks execution role must include  [SecretsManagerReadWrite](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-policies.html) managed policy.
+
+
+
+### Security Configuration
+
+1. Generate [Keyspaces Service-Specific Credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html)
 
-### Prerequisites<a name="Prerequisites"></a></a>
-This notebook was tested with conda_python3 kernel and should work with Python 3.x.
 
-The Notebook execution role must include permissions to access Amazon Keyspaces and Assume the role.
-
-*  To access Amazon Keyspaces database - can use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the least privilege approach for your production application.
-[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html)
-
-* To assume the role you need to have [sts:AssumeRole action](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) permissions
-    ```
-    {
-      "Version": "2012-10-17",  
-      "Statement": [  
-        {  
-           "Action": [  
-           "sts:AssumeRole"  
-          ],  
-          "Effect": "Allow",  
-          "Resource": "*"  
+        Example of a service-specific credential
+
+  ```
+        "ServiceSpecificCredential": {
+                "CreateDate": "2019-10-09T16:12:04Z",
+                "ServiceName": "cassandra.amazonaws.com",
+                "ServiceUserName": "keyspace-user1-at-11122223333",
+                "ServicePassword": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+                "ServiceSpecificCredentialId": "ACCAYFI33SINPGJEBYESF",
+                "UserName": " keyspace-user1",
+                "Status": "Active"
+            }
         }
-      ]
-    }
-    ```
+  ```
+
+2. Store ServiceUserName and ServicePassword in the SecretManager.  As a best practice, we don't want to store credentials as a plain text in the SageMaker Notebooks.
+
+  In this example I'm using
+_Keyspaces_Server_Generated_credential_ as a Secret Name and _keyspaces_generated_id_ and _keyspaces_generated_pw_ fields to store Keyspaces ID and password.
+
+
+
 
 #### Note:
-Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html)
+Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html).
 
+This notebook was tested with conda_python3 kernel and should work with Python 3.x.
 
 ### Running the sample
 *  Import Notebook into SageMaker 	
diff --git a/SageMaker/connection-service-specific-credentials /SageMaker_Keyspaces_with_server_credentials.ipynb b/SageMaker/connection-service-specific-credentials /SageMaker_Keyspaces_with_server_credentials.ipynb
@@ -2,7 +2,7 @@
  "cells": [
   {
    "cell_type": "markdown",
-   "id": "9d63b0ce",
+   "id": "efe02727",
    "metadata": {},
    "source": [
     "## Connecting to Amazon Keyspaces using server-side credentials \n",
@@ -12,7 +12,7 @@
   },
   {
    "cell_type": "markdown",
-   "id": "eb60e0cd",
+   "id": "68d038c1",
    "metadata": {},
    "source": [
     "Before we start we need to generate the Keyspaces credential and use SecretManager to securly store credentials. \n",
@@ -45,7 +45,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "6984b585",
+   "id": "d4fd77c1",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -60,7 +60,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "1947cbf2",
+   "id": "9e06a3a6",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -71,7 +71,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "b7850692",
+   "id": "572c391a",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -82,7 +82,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "9d6d8906",
+   "id": "df0a72d8",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -125,7 +125,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "469b854b",
+   "id": "e4425550",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -135,7 +135,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "38a8ea09",
+   "id": "03fa7f66",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -145,7 +145,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "ed4076e2",
+   "id": "75c23dba",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -158,7 +158,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "b2bf80c9",
+   "id": "4c5c27c0",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -172,7 +172,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "75334b15",
+   "id": "a3abaf72",
    "metadata": {},
    "outputs": [],
    "source": []
diff --git a/SageMaker/connection-sigv4/README.md b/SageMaker/connection-sigv4/README.md
@@ -2,16 +2,17 @@
 
 This code shows how to connect to Amazon Keyspaces from SageMaker using an authentication plugin for temporary credentials. This plugin enables IAM users, roles, and federated identities to add authentication information to Amazon Keyspaces API requests using the AWS Signature Version 4 process (SigV4).
 
-In this example we do NOT need to generate Keyspaces service-specific credentials.
+In this example, we do NOT need to generate Keyspaces service-specific credentials.
+
 
 
 ### Prerequisites
-This notebook was tested with conda_python3 kernel and should work with Python 3.x.
 
 The Notebook execution role must include permissions to access Amazon Keyspaces and Assume the role.
 
-*  To access Amazon Keyspaces database - can use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the least privilege approach for your production application.
-[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html)
+*  To access Amazon Keyspaces database - use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the _least privileged approach_ for your production application.  
+See more at
+[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html).
 
 * To assume the role you need to have [sts:AssumeRole action](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) permissions
     ```
@@ -32,6 +33,9 @@ The Notebook execution role must include permissions to access Amazon Keyspaces
 #### Note:
 Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html)
 
+This notebook was tested with conda_python3 kernel and should work with Python 3.x.
+
+
 
 ### Running the sample
 *  Import Notebook into SageMaker 	
diff --git a/SageMaker/connection-sigv4/SageMaker_Keyspaces_with_ sigv4.ipynb b/SageMaker/connection-sigv4/SageMaker_Keyspaces_with_ sigv4.ipynb
@@ -2,28 +2,30 @@
  "cells": [
   {
    "cell_type": "markdown",
-   "id": "b455f1e8",
+   "id": "d0f1440d",
    "metadata": {},
    "source": [
     "## Connecting to Amazon Keyspaces using SigV4 authentication plugin for temporary credentials.  \n",
-    "#####   This plugin enables IAM users, roles, and federated identities to add authentication information to Amazon Keyspaces API requests using the AWS Signature Version 4 process (SigV4).\n",
     "\n",
-    "More info about [SigV4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) \n"
+    "This plugin enables IAM users, roles, and federated identities to add authentication information to Amazon Keyspaces API requests using the [AWS Signature Version 4 process (SigV4)](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) .\n",
+    "\n",
+    "In this example, we do NOT need to generate Keyspaces service-specific credentials."
    ]
   },
   {
    "cell_type": "markdown",
-   "id": "9c744358",
+   "id": "9cdcdeca",
    "metadata": {},
    "source": [
     "### Requrements \n",
     "\n",
     "The Notebook execution role must include permissions to access Amazon Keyspaces and Assume the role. \n",
     "\n",
+    "*  To access Amazon Keyspaces database - use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the _least privileged approach_ for your production application.  \n",
+    "See more at\n",
+    "[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html).\n",
     "\n",
-    "*  To access Amazon Keyspaces database - can use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. See [AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html). Use the least privilege approach for your production application.\n",
-    "\n",
-    "* To assume the role you need to have [sts:AssumeRole action](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) permissions\n",
+    "* To assume the role, you need to have [sts:AssumeRole action](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) permissions.\n",
     "    ```\n",
     "    {\n",
     "      \"Version\": \"2012-10-17\",  \n",
@@ -40,15 +42,15 @@
     "    ```\n",
     "\n",
     "#### Note:\n",
-    "Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html)\n",
+    "Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html).\n",
     "\n",
     "This notebook was tested with conda_python3 kernel and should work with Python 3.x."
    ]
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "8d8f6586",
+   "id": "b34480df",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -59,7 +61,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "38b1cef1",
+   "id": "e8b700d9",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -70,7 +72,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "75c6b109",
+   "id": "d6b40a2a",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -85,7 +87,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "97968cc2",
+   "id": "6e690e59",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -106,7 +108,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "7989f29a",
+   "id": "a88c43df",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -145,7 +147,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "c44764ae",
+   "id": "4933806d",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -158,7 +160,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "38e7d513",
+   "id": "a81cb54d",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -176,7 +178,7 @@
   },
   {
    "cell_type": "markdown",
-   "id": "a9c695e4",
+   "id": "320eac56",
    "metadata": {},
    "source": [
     "## The end."
