Skip to content

Commit

Permalink
adding aws_irsa to S3CloudInterface and AwsCloudSnapshotInterface
Browse files Browse the repository at this point in the history
  • Loading branch information
smcaine committed Oct 9, 2024
1 parent 604743e commit ddab49d
Showing 1 changed file with 43 additions and 3 deletions.
46 changes: 43 additions & 3 deletions barman/cloud_providers/aws_s3.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import logging
import math
import os
import shutil
from io import RawIOBase

Expand Down Expand Up @@ -102,6 +103,7 @@ def __init__(
self,
url,
encryption=None,
aws_irsa=False,
jobs=2,
profile_name=None,
endpoint_url=None,
Expand All @@ -116,6 +118,8 @@ def __init__(
:param str url: Full URL of the cloud destination/source
:param str|None encryption: Encryption type string
:param bool|False aws_irsa: Amazon aws iam role for service account
should be used instead of profile_name
:param int jobs: How many sub-processes to use for asynchronous
uploading, defaults to 2.
:param str profile_name: Amazon auth profile identifier
Expand All @@ -134,6 +138,7 @@ def __init__(
tags=tags,
delete_batch_size=delete_batch_size,
)
self.aws_irsa = aws_irsa
self.profile_name = profile_name
self.encryption = encryption
self.endpoint_url = endpoint_url
Expand Down Expand Up @@ -161,7 +166,24 @@ def _reinit_session(self):
config_kwargs["read_timeout"] = self.read_timeout
config = Config(**config_kwargs)

session = boto3.Session(profile_name=self.profile_name)
if self.aws_irsa:
client = boto3.client('sts')
with open(os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), 'r') as content_file:
web_identity_token = content_file.read()

response = client.assume_role_with_web_identity(
RoleArn=os.environ['AWS_ROLE_ARN'],
RoleSessionName='barman',
WebIdentityToken=web_identity_token,
# DurationSeconds=3600 # defaults to an hour, must not be greater than
# the iam role max duration session (this is also default 1 hour)
)
credentials = response['Credentials']
session = boto3.Session( aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
else:
session = boto3.Session(profile_name=self.profile_name)
self.s3 = session.resource("s3", endpoint_url=self.endpoint_url, config=config)

@property
Expand Down Expand Up @@ -463,7 +485,7 @@ class AwsCloudSnapshotInterface(CloudSnapshotInterface):
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html
"""

def __init__(self, profile_name=None, region=None, await_snapshots_timeout=3600):
def __init__(self, aws_irsa=False, profile_name=None, region=None, await_snapshots_timeout=3600):
"""
Creates the client necessary for creating and managing snapshots.
Expand All @@ -472,7 +494,25 @@ def __init__(self, profile_name=None, region=None, await_snapshots_timeout=3600)
:param int await_snapshots_timeout: The maximum time in seconds to wait for
snapshots to complete.
"""
self.session = boto3.Session(profile_name=profile_name)
if aws_irsa:
client = boto3.client('sts')
with open(os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), 'r') as content_file:
web_identity_token = content_file.read()

response = client.assume_role_with_web_identity(
RoleArn=os.environ['AWS_ROLE_ARN'],
RoleSessionName='barman',
WebIdentityToken=web_identity_token,
# DurationSeconds=3600 # defaults to an hour, must not be greater than
# the iam role max duration session (this is also default 1 hour)
)
credentials = response['Credentials']
self.session = boto3.Session( aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
else:
self.session = boto3.Session(profile_name=profile_name)

# If a specific region was provided then this overrides any region which may be
# defined in the profile
self.region = region or self.session.region_name
Expand Down

0 comments on commit ddab49d

Please sign in to comment.