diff --git a/barman/cloud_providers/aws_s3.py b/barman/cloud_providers/aws_s3.py index 7cf4cb330..8a7f94f2b 100644 --- a/barman/cloud_providers/aws_s3.py +++ b/barman/cloud_providers/aws_s3.py @@ -18,6 +18,7 @@ import logging import math +import os import shutil from io import RawIOBase @@ -102,6 +103,7 @@ def __init__( self, url, encryption=None, + aws_irsa=False, jobs=2, profile_name=None, endpoint_url=None, @@ -116,6 +118,8 @@ def __init__( :param str url: Full URL of the cloud destination/source :param str|None encryption: Encryption type string + :param bool|False aws_irsa: Amazon aws iam role for service account + should be used instead of profile_name :param int jobs: How many sub-processes to use for asynchronous uploading, defaults to 2. :param str profile_name: Amazon auth profile identifier @@ -134,6 +138,7 @@ def __init__( tags=tags, delete_batch_size=delete_batch_size, ) + self.aws_irsa = aws_irsa self.profile_name = profile_name self.encryption = encryption self.endpoint_url = endpoint_url @@ -161,7 +166,24 @@ def _reinit_session(self): config_kwargs["read_timeout"] = self.read_timeout config = Config(**config_kwargs) - session = boto3.Session(profile_name=self.profile_name) + if self.aws_irsa: + client = boto3.client('sts') + with open(os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), 'r') as content_file: + web_identity_token = content_file.read() + + response = client.assume_role_with_web_identity( + RoleArn=os.environ['AWS_ROLE_ARN'], + RoleSessionName='barman', + WebIdentityToken=web_identity_token, + # DurationSeconds=3600 # defaults to an hour, must not be greater than + # the iam role max duration session (this is also default 1 hour) + ) + credentials = response['Credentials'] + session = boto3.Session( aws_access_key_id=credentials['AccessKeyId'], + aws_secret_access_key=credentials['SecretAccessKey'], + aws_session_token=credentials['SessionToken']) + else: + session = boto3.Session(profile_name=self.profile_name) self.s3 = session.resource("s3", endpoint_url=self.endpoint_url, config=config) @property @@ -463,7 +485,7 @@ class AwsCloudSnapshotInterface(CloudSnapshotInterface): https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html """ - def __init__(self, profile_name=None, region=None, await_snapshots_timeout=3600): + def __init__(self, aws_irsa=False, profile_name=None, region=None, await_snapshots_timeout=3600): """ Creates the client necessary for creating and managing snapshots. @@ -472,7 +494,25 @@ def __init__(self, profile_name=None, region=None, await_snapshots_timeout=3600) :param int await_snapshots_timeout: The maximum time in seconds to wait for snapshots to complete. """ - self.session = boto3.Session(profile_name=profile_name) + if aws_irsa: + client = boto3.client('sts') + with open(os.getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), 'r') as content_file: + web_identity_token = content_file.read() + + response = client.assume_role_with_web_identity( + RoleArn=os.environ['AWS_ROLE_ARN'], + RoleSessionName='barman', + WebIdentityToken=web_identity_token, + # DurationSeconds=3600 # defaults to an hour, must not be greater than + # the iam role max duration session (this is also default 1 hour) + ) + credentials = response['Credentials'] + self.session = boto3.Session( aws_access_key_id=credentials['AccessKeyId'], + aws_secret_access_key=credentials['SecretAccessKey'], + aws_session_token=credentials['SessionToken']) + else: + self.session = boto3.Session(profile_name=profile_name) + # If a specific region was provided then this overrides any region which may be # defined in the profile self.region = region or self.session.region_name