feat: [ISS-2950] IAM auth for AWS redis #3029
Conversation
pkg/apis/options/options.go
Outdated
| flagSet.Bool("redis-aws-use-iam-auth", false, "Use AWS IAM authentication for Redis. Must set --redis-aws-service-name, --redis-aws-cluster-name, & --redis-aws-username to use this feature") | ||
| flagSet.String("redis-aws-service-name", "", "AWS service name for Redis IAM authentication - `elasticache` or `memorydb`") | ||
| flagSet.String("redis-aws-cluster-name", "", "AWS cluster name for Redis IAM authentication") | ||
| flagSet.String("redis-aws-username", "", "AWS username for Redis IAM authentication") |
There was a problem hiding this comment.
Code climate is complaining that this function is too long now. Should the redis flags be extracted to their own flagSet?
There was a problem hiding this comment.
Do we need these as flags/could they be added only to the alpha/structured configuration?
There was a problem hiding this comment.
There's no need for them to be flags specifically. There is no session/redis config for the alpha config from what I can tell, but I can take a stab at adding that.
There was a problem hiding this comment.
@JoelSpeed this was probably not the best call as session settings are only being introduced to the alpha config with one of my PRs
There was a problem hiding this comment.
Issue now would be that we would introduce the AWS Redis support at the toplevel of the alpha config just to refactor / break the config API in a couple months again
|
Is there any possibility of this being reviewed/merged? |
|
@JoelSpeed , I see you have a lot of contributions to this project. Is there any chance you could review this or explain what steps we would need to take to get a review? Without this, we will be forced to fork this repo for our organization. I know @willwill96 is amenable to make any changes that would make this MR any easier for you guys to review. Thank you for reading. |
|
@tuunit is there any expectation on when something like this could be reviewed? Is there anything we can do to make it easier or more straightforward on the maintainers? It seems like we are following the process, but we are open to whatever changes we might need to make. We are really really hoping to not have to fork it. |
|
Hi @willwill96 / @rfahsel3, we are only one or two maintainers checking the PRs in our free time. Therefore it often takes quite some time before get around to these things and priorities bugfixes and generic changes over provider specific. In the case of your change, we don't have an AWS account to validate the changes in your PR. I'll try to make some time for it :) |
|
Thank you very much @tuunit . Your message makes a lot of sense. |
pkg/apis/options/options.go
Outdated
| flagSet.Bool("redis-aws-use-iam-auth", false, "Use AWS IAM authentication for Redis. Must set --redis-aws-service-name, --redis-aws-cluster-name, & --redis-aws-username to use this feature") | ||
| flagSet.String("redis-aws-service-name", "", "AWS service name for Redis IAM authentication - `elasticache` or `memorydb`") | ||
| flagSet.String("redis-aws-cluster-name", "", "AWS cluster name for Redis IAM authentication") | ||
| flagSet.String("redis-aws-username", "", "AWS username for Redis IAM authentication") |
There was a problem hiding this comment.
Do we need these as flags/could they be added only to the alpha/structured configuration?
pkg/sessions/redis/aws-iam/auth.go
Outdated
| hexEncodedSHA256EmptyString = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" | ||
| ) | ||
|
|
||
| type IAMTokenGenerator struct { |
There was a problem hiding this comment.
Nit missing comment on exported struct
Does it actually need to be exported? Could be behind an interface?
pkg/sessions/redis/aws-iam/auth.go
Outdated
| signer *v4.Signer | ||
| } | ||
|
|
||
| func New(serviceName, clusterName, userName string) (*IAMTokenGenerator, error) { |
There was a problem hiding this comment.
Missing comment on exported function
| return "", fmt.Errorf("AWS IAM request signing failed - %v", err) | ||
| } | ||
|
|
||
| signedURL = strings.Replace(signedURL, "http://", "", 1) |
There was a problem hiding this comment.
Can you add a comment explaining why we do this?
There was a problem hiding this comment.
I couldn't find any docs explaining why this is recommended, but it is in many of the aws iam examples. For example here: https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-Connecting
This value is used as a bearer token so my best guess is that the http:// breaks the validation of that header in some way.
I will add a comment with a link to the aws docs
| } | ||
| return opts.AWSUsername, token | ||
| } | ||
| // AWS services has a max connection lifetime of 12 hours. This is set to 11 hours to give some buffer time |
There was a problem hiding this comment.
I assume there's no action needed and the connection refreshes itself automatically after this period?
There was a problem hiding this comment.
Yes, once the connection expires, the redis client will reconnect on the next request, using a regenerated auth token.
I haven't been able to find a way to test this locally. I investigated
I'll take a look at adding some unit tests to at least validate what we can. We are also going to try to put together a screen recording of the important parts working so that we can share here. |
| "github.com/stretchr/testify/require" | ||
| ) | ||
|
|
||
| func TestAWSIAMTokenGenerator(t *testing.T) { |
There was a problem hiding this comment.
I saw another OSS project add a similar unit test when they added IAM auth for postgres:
https://github.com/authzed/spicedb/pull/1858/files
|
Hi @JoelSpeed, Thank you for taking a look at our changes. I think that I have addressed your comments to the best of my ability, but happy to make additional changes if necessary. Additionally, I have sent an email to you & @tuunit containing a demo of the IAM auth changes, which I hope will inspire a bit more confidence in these changes. If you have any additional feedback or questions on these changes, I'm happy to help where I can. Best regards. |
Signed-off-by: Jan Larwig <[email protected]>
|
@tuunit Thank you for pushing some updates to this MR. I've resolved the linting issues that were causing a build issue before and updated the changelog entry to reflect the latest minor version. Please let me know if there's anything else I can to do help. |
|
Hi @tuunit ! I saw you made some contributions to this MR. Is this ready to merge? |
|
@tuunit and @JoelSpeed , I'm sorry to be annoying, but we are really trying to figure out if we are going to fork this or not. We have a pretty hard deadline at the end of the month. I feel like we were making good progress by sending the video and working through the comments. Do we foresee this being merged in the next week, or should we plan on forking the repo? We just need to know for our planning. |
Description
Adds configuration which allows Oauth2 Proxy to connect to AWS redis services using IAM auth.
Motivation and Context
This should be useful for organizations who use AWS IAM auth for redis connections.
Resolves #2950
How Has This Been Tested?
I primarily tested this in my organization's infrastructure. I may be able to get permission to screen share the before/after of these changes, if that's useful. Otherwise, I can try to get a setup working in my AWS cluster.
Checklist: