Send AWS credentials via environment variables to indexer

0763c82f · Changzheng Liu · Dylan Griffith · f5489998 · 0763c82f · 0763c82f
Commit 0763c82f authored Jul 23, 2020 by Changzheng Liu Committed by Dylan Griffith Jul 23, 2020
5 changed files
--- a/ee/changelogs/unreleased/215292-cache-aws-creds.yml
+++ b/ee/changelogs/unreleased/215292-cache-aws-creds.yml
+---
+title: Send AWS credentials via environment variables to indexer
+merge_request: 36917
+author:
+type: changed
--- a/ee/lib/gitlab/elastic/client.rb
+++ b/ee/lib/gitlab/elastic/client.rb
@@ -3,6 +3,8 @@
 module Gitlab
  module Elastic
    module Client
+      extend Gitlab::Utils::StrongMemoize
+
      # Takes a hash as returned by `ApplicationSetting#elasticsearch_config`,
      # and configures itself based on those parameters
      def self.build(config)
@@ -32,13 +34,18 @@ module Gitlab

        return static_credentials if static_credentials&.set?

-        # When static credentials are not configured, Aws::CredentialProviderChain API
-        # will be used to retrieve credentials. It will check AWS access credential environment
+        # When static credentials are not configured, use Aws::CredentialProviderChain API
+        aws_credential_provider if aws_credential_provider&.set?
+      end
+
+      def self.aws_credential_provider
+        # Aws::CredentialProviderChain API will check AWS access credential environment
        # variables, AWS credential profile, ECS credential service and EC2 credential service.
        # Please see aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb for details of
        # the possible providers and order of the providers.
-        instance_credentials = Aws::CredentialProviderChain.new.resolve
-        instance_credentials if instance_credentials&.set?
+        strong_memoize(:instance_credentials) do
+          Aws::CredentialProviderChain.new.resolve
+        end
      end
    end
  end

--- a/ee/lib/gitlab/elastic/indexer.rb
+++ b/ee/lib/gitlab/elastic/indexer.rb
@@ -109,11 +109,26 @@ module Gitlab
          'SSL_CERT_DIR'            => OpenSSL::X509::DEFAULT_CERT_DIR
        }

+        # Set AWS environment variables for IAM role authentication if present
+        vars = build_aws_credentials_env(vars)
+
        # Users can override default SSL certificate path via SSL_CERT_FILE SSL_CERT_DIR
-        # AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is used in AWS ECS to get credentials when making AWS API calls
-        %w(SSL_CERT_FILE SSL_CERT_DIR AWS_CONTAINER_CREDENTIALS_RELATIVE_URI).each_with_object(vars) do |key, hash|
-          hash[key] = ENV[key] if ENV.key?(key)
-        end
+        vars.merge(ENV.slice('SSL_CERT_FILE', 'SSL_CERT_DIR'))
+      end
+
+      def build_aws_credentials_env(vars)
+        # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN need to be set as
+        # environment variable in case of using IAM role based authentication in AWS
+        # The credentials are buffered to prevent from hitting rate limit. They will be
+        # refreshed when expired
+        credentials = Gitlab::Elastic::Client.aws_credential_provider&.credentials
+        return vars unless credentials&.set?
+
+        vars.merge(
+          'AWS_ACCESS_KEY_ID' => credentials.access_key_id,
+          'AWS_SECRET_ACCESS_KEY' => credentials.secret_access_key,
+          'AWS_SESSION_TOKEN' => credentials.session_token
+        )
      end

      def last_commit

--- a/ee/spec/lib/gitlab/elastic/client_spec.rb
+++ b/ee/spec/lib/gitlab/elastic/client_spec.rb
@@ -78,7 +78,6 @@ RSpec.describe Gitlab::Elastic::Client do
          aws_region: 'us-east-1'
        }
      end
-      let(:credentials) { double(:aws_credentials, set?: true) }

      before do
        allow_next_instance_of(Aws::CredentialProviderChain) do |instance|
@@ -86,25 +85,63 @@ RSpec.describe Gitlab::Elastic::Client do
        end
      end

-      it 'returns credentials from Aws::CredentialProviderChain' do
-        expect(creds).to eq credentials
+      after do
+        described_class.clear_memoization(:instance_credentials)
      end

-      context 'when Aws::CredentialProviderChain returns unset credentials' do
-        let(:credentials) { double(:aws_credentials, set?: false) }
+      context 'when aws sdk provides credentials' do
+        let(:credentials) { double(:aws_credentials, set?: true) }

-        it 'returns nil' do
-          expect(creds).to be_nil
+        it 'return the credentials' do
+          expect(creds).to eq(credentials)
        end
      end

-      context 'when Aws::CredentialProviderChain returns nil' do
+      context 'when aws sdk does not provide credentials' do
        let(:credentials) { nil }

+        it 'return the credentials' do
+          expect(creds).to eq(nil)
+        end
+      end
+
+      context 'when Aws::CredentialProviderChain returns unset credentials' do
+        let(:credentials) { double(:aws_credentials, set?: false) }
+
        it 'returns nil' do
-          expect(creds).to be_nil
+          expect(creds).to eq(nil)
        end
      end
    end
  end
+
+  describe '.aws_credential_provider' do
+    let(:creds) { described_class.aws_credential_provider }
+
+    before do
+      allow_next_instance_of(Aws::CredentialProviderChain) do |instance|
+        allow(instance).to receive(:resolve).and_return(credentials)
+      end
+    end
+
+    after do
+      described_class.clear_memoization(:instance_credentials)
+    end
+
+    context 'when Aws::CredentialProviderChain returns set credentials' do
+      let(:credentials) { double(:aws_credentials) }
+
+      it 'returns credentials' do
+        expect(creds).to eq(credentials)
+      end
+    end
+
+    context 'when Aws::CredentialProviderChain returns nil' do
+      let(:credentials) { nil }
+
+      it 'returns nil' do
+        expect(creds).to eq(nil)
+      end
+    end
+  end
 end
--- a/ee/spec/lib/gitlab/elastic/indexer_spec.rb
+++ b/ee/spec/lib/gitlab/elastic/indexer_spec.rb
@@ -304,8 +304,10 @@ RSpec.describe Gitlab::Elastic::Indexer do
    let(:cert_dir) { '/fake/cert/dir' }

    before do
-      stub_env('SSL_CERT_FILE', cert_file)
-      stub_env('SSL_CERT_DIR', cert_dir)
+      allow(ENV).to receive(:slice).with('SSL_CERT_FILE', 'SSL_CERT_DIR').and_return({
+        'SSL_CERT_FILE' => cert_file,
+        'SSL_CERT_DIR' => cert_dir
+      })
    end

    context 'when building env vars for child process' do
@@ -317,19 +319,38 @@ RSpec.describe Gitlab::Elastic::Indexer do
    end
  end

-  context 'when AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set' do
-    let(:aws_cred_relative_uri) { '/ecs/relative/cred/uri'}
+  context 'when no aws credentials available' do
+    subject { envvars }

    before do
-      stub_env('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI', aws_cred_relative_uri)
+      allow(Gitlab::Elastic::Client).to receive(:aws_credential_provider).and_return(nil)
    end

-    context 'when building env vars for child process' do
-      subject { envvars }
+    it 'credentials env vars will not be included' do
+      expect(subject).not_to include('AWS_ACCESS_KEY_ID')
+      expect(subject).not_to include('AWS_SECRET_ACCESS_KEY')
+      expect(subject).not_to include('AWS_SESSION_TOKEN')
+    end
+  end

-      it 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env vars will be included' do
-        expect(subject).to include('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' => aws_cred_relative_uri)
-      end
+  context 'when aws credentials are available' do
+    let(:access_key_id) { '012' }
+    let(:secret_access_key) { 'secret' }
+    let(:session_token) { 'token' }
+    let(:credentials) { Aws::Credentials.new(access_key_id, secret_access_key, session_token) }
+
+    subject { envvars }
+
+    before do
+      allow(Gitlab::Elastic::Client).to receive(:aws_credential_provider).and_return(credentials)
+    end
+
+    it 'credentials env vars will be included' do
+      expect(subject).to include({
+        'AWS_ACCESS_KEY_ID' => access_key_id,
+        'AWS_SECRET_ACCESS_KEY' => secret_access_key,
+        'AWS_SESSION_TOKEN' => session_token
+      })
    end
  end