From b0b2e2f056ca2e2a1814d5d7f692e24c93a9bef5 Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Thu, 14 Apr 2022 11:05:39 -0400 Subject: [PATCH 1/3] Added ability to assume another role for possible cross account usage --- .../kplserver/KinesisEventPublisher.java | 40 ++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java b/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java index 077b008..fc27bc4 100644 --- a/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java +++ b/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java @@ -1,10 +1,20 @@ package com.warnermedia.kplserver; +import com.amazonaws.auth.AWSCredentialsProvider; +import com.amazonaws.auth.AWSStaticCredentialsProvider; +import com.amazonaws.auth.BasicSessionCredentials; +import com.amazonaws.auth.DefaultAWSCredentialsProviderChain; +import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.kinesis.producer.KinesisProducer; import com.amazonaws.services.kinesis.producer.KinesisProducerConfiguration; import com.amazonaws.services.kinesis.producer.UserRecord; import com.amazonaws.services.kinesis.producer.UserRecordFailedException; import com.amazonaws.services.kinesis.producer.UserRecordResult; +import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsyncClientBuilder; +import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; +import com.amazonaws.services.securitytoken.model.AssumeRoleResult; +import com.amazonaws.services.securitytoken.model.Credentials; import com.google.common.util.concurrent.FutureCallback; import com.google.common.util.concurrent.Futures; import com.google.common.util.concurrent.ListenableFuture; @@ -40,10 +50,38 @@ public KinesisEventPublisher(String stream, String region, String metricsLevel, this.stream = stream; kinesis = new KinesisProducer(new KinesisProducerConfiguration() .setRegion(region) - .setMetricsLevel(metricsLevel)); + .setMetricsLevel(metricsLevel) + .setCredentialsProvider(loadCredentials(false))); this.errSocket = errSocket; } + private static AWSCredentialsProvider loadCredentials(boolean isLocal) { + final AWSCredentialsProvider credentialsProvider; + if (isLocal) { + AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard() + .withCredentials(new ProfileCredentialsProvider("nonprodjump")) + .withRegion("us-east-1") + .build(); + + AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600) + .withRoleArn("arn:aws:iam::373762790913:role/doppler-video-lcluseast1") + .withRoleSessionName("Kinesis_Session"); + + AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest); + Credentials creds = assumeRoleResult.getCredentials(); + + credentialsProvider = new AWSStaticCredentialsProvider( + new BasicSessionCredentials(creds.getAccessKeyId(), + creds.getSecretAccessKey(), + creds.getSessionToken()) + ); + } else { + credentialsProvider = new DefaultAWSCredentialsProviderChain(); + } + + return credentialsProvider; + } + public void runOnce(String line) throws Exception { // add new line so that downstream systems have an easier time parsing String finalLine = line + "\n"; From 40861ae9b344d9237c8a1c46efb18da57b527ac1 Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Thu, 14 Apr 2022 11:19:10 -0400 Subject: [PATCH 2/3] Modified code to default to a local and then requires the cross account role to use assume code. --- src/main/java/com/warnermedia/kplserver/App.java | 9 ++++++++- .../kplserver/KinesisEventPublisher.java | 16 +++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/warnermedia/kplserver/App.java b/src/main/java/com/warnermedia/kplserver/App.java index 44f6ca2..d552c1c 100644 --- a/src/main/java/com/warnermedia/kplserver/App.java +++ b/src/main/java/com/warnermedia/kplserver/App.java @@ -25,7 +25,7 @@ public static void main(String[] args) throws Exception { ServerSocket errSocket = new ServerSocket(port); errSocket.setSoTimeout(100); - KinesisEventPublisher kinesisEventPublisher = new KinesisEventPublisher(stream, getRegion(), getMetricsLevel(), errSocket); + KinesisEventPublisher kinesisEventPublisher = new KinesisEventPublisher(stream, getRegion(), getMetricsLevel(), getCrossAccountRole(), errSocket); // graceful shutdowns Runtime.getRuntime().addShutdownHook(new Thread() { @@ -88,4 +88,11 @@ static String getMetricsLevel() { return p; } + static String getCrossAccountRole() { + String p = System.getenv("CROSS_ACCOUNT_ROLE"); + if (p == null || p.equals("")) { + return ""; + } + return p; + } } diff --git a/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java b/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java index fc27bc4..6aca65c 100644 --- a/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java +++ b/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java @@ -46,25 +46,31 @@ public class KinesisEventPublisher { ServerSocket errSocket; Socket errClient; - public KinesisEventPublisher(String stream, String region, String metricsLevel, ServerSocket errSocket) { + public KinesisEventPublisher(String stream, String region, String metricsLevel, String crossAccountRole, ServerSocket errSocket) { this.stream = stream; kinesis = new KinesisProducer(new KinesisProducerConfiguration() .setRegion(region) .setMetricsLevel(metricsLevel) - .setCredentialsProvider(loadCredentials(false))); + .setCredentialsProvider(loadCredentials(crossAccountRole))); this.errSocket = errSocket; } - private static AWSCredentialsProvider loadCredentials(boolean isLocal) { + private static AWSCredentialsProvider loadCredentials(String crossAccountRole) { final AWSCredentialsProvider credentialsProvider; - if (isLocal) { + + Boolean isCrossAccount = false; + if (!crossAccountRole.equals("")) { + isCrossAccount = true; + } + + if (isCrossAccount) { AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard() .withCredentials(new ProfileCredentialsProvider("nonprodjump")) .withRegion("us-east-1") .build(); AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600) - .withRoleArn("arn:aws:iam::373762790913:role/doppler-video-lcluseast1") + .withRoleArn(crossAccountRole) .withRoleSessionName("Kinesis_Session"); AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest); From 7700ac4156203c942c00336b3dee629ae808d21f Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Thu, 14 Apr 2022 12:04:02 -0400 Subject: [PATCH 3/3] updated libraries and small tweak --- pom.xml | 4 ++-- .../com/warnermedia/kplserver/KinesisEventPublisher.java | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index 97d7975..5c46b9d 100644 --- a/pom.xml +++ b/pom.xml @@ -26,12 +26,12 @@ com.amazonaws amazon-kinesis-producer - 0.14.0 + 0.14.12 com.amazonaws aws-java-sdk - 1.11.327 + 1.12.198 javax.xml.bind diff --git a/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java b/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java index 6aca65c..be8ec5b 100644 --- a/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java +++ b/src/main/java/com/warnermedia/kplserver/KinesisEventPublisher.java @@ -51,11 +51,11 @@ public KinesisEventPublisher(String stream, String region, String metricsLevel, kinesis = new KinesisProducer(new KinesisProducerConfiguration() .setRegion(region) .setMetricsLevel(metricsLevel) - .setCredentialsProvider(loadCredentials(crossAccountRole))); + .setCredentialsProvider(loadCredentials(crossAccountRole, region))); this.errSocket = errSocket; } - private static AWSCredentialsProvider loadCredentials(String crossAccountRole) { + private static AWSCredentialsProvider loadCredentials(String crossAccountRole, String region) { final AWSCredentialsProvider credentialsProvider; Boolean isCrossAccount = false; @@ -65,8 +65,7 @@ private static AWSCredentialsProvider loadCredentials(String crossAccountRole) { if (isCrossAccount) { AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard() - .withCredentials(new ProfileCredentialsProvider("nonprodjump")) - .withRegion("us-east-1") + .withRegion(region) .build(); AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600)