Update client.rb

Add process_credentials config Update client.rb Add process_credentials config Update README.md Update README.md Add unit test Update readme Add omission if aws-sdk-core version < 3.24.0 Make `process` attribute mandatory. Make `process` attribute mandatory.
awslabs · Apr 15, 2019 · 12bb957 · 12bb957
1 parent a75bdbc
commit 12bb957
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -241,6 +241,27 @@ Path to the shared file. Defaults to "#{Dir.home}/.aws/credentials".
 
 Defaults to 'default' or `[ENV]('AWS_PROFILE')`.
 
+### process_credentials
+
+This loads AWS access credentials from an external process.
+
+    <match *>
+      @type kinesis_streams
+
+      <process_credentials>
+        process CMD
+      </process_credentials>
+    </match>
+
+See also:
+
+*   [Aws::ProcessCredentials](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/ProcessCredentials.html)
+*   [Sourcing Credentials From External Processes](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes)
+
+**process (required)**
+
+Command to be executed as an external process.
+
 ## Configuration: Format
 
 ### format (section)

diff --git a/lib/fluent/plugin/kinesis_helper/client.rb b/lib/fluent/plugin/kinesis_helper/client.rb
@@ -63,6 +63,10 @@ module ClientParams
             desc "Profile name. Default to 'default' or ENV['AWS_PROFILE']"
             config_param :profile_name, :string, default: nil
           end
+          config_section :process_credentials, multi: false do
+            desc "External process to execute."
+            config_param :process, :string
+          end
         end
 
         def self.included(mod)
@@ -146,6 +150,10 @@ def setup_credentials
             credentials_options[:path] = c.path if c.path
             credentials_options[:profile_name] = c.profile_name if c.profile_name
             options[:credentials] = Aws::SharedCredentials.new(credentials_options)
+          when @process_credentials
+            c = @process_credentials
+            process = c.process
+            options[:credentials] = Aws::ProcessCredentials.new(process)
           else
             # Use default credentials
             # See http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html

diff --git a/test/kinesis_helper/test_client.rb b/test/kinesis_helper/test_client.rb
@@ -16,7 +16,22 @@
 require 'fluent/plugin/kinesis_helper/client'
 
 class KinesisHelperClientTest < Test::Unit::TestCase
-  class Mock
+  class ProcessCredentials
+    def self.process
+      expiration = Time.now.utc + 3600
+      response = {
+          :SecretAccessKey => "secret",
+          :SessionToken => "session-token",
+          :Version => 1,
+          :Expiration => expiration.strftime('%Y-%m-%dT%H:%M:%SZ'),
+          :AccessKeyId => "akid"
+      }.to_json
+
+      "echo '#{response}'"
+    end
+  end
+
+  class MockClientInstanceProfile
     include Fluent::Plugin::KinesisHelper::Client
 
     def initialize
@@ -28,15 +43,26 @@ def request_type
     end
   end
 
+  class MockClientProcessCredentials
+    include Fluent::Plugin::KinesisHelper::Client
+
+    def initialize
+      @region = 'us-east-1'
+      @process_credentials = ProcessCredentials
+    end
+
+    def request_type
+      :firehose
+    end
+  end
+
   def self.startup
     Aws::Firehose::Client.new(region: 'us-east-1')
   end
 
   def setup
     WebMock.enable!
     FakeFS.activate!
-    @object = Mock.new
-    Aws.shared_config.fresh
   end
 
   def teardown
@@ -46,21 +72,31 @@ def teardown
   end
 
   def test_instance_profile
+    Aws.shared_config.fresh
     setup_instance_profile
-    credentials = @object.client.config.credentials
+    credentials = MockClientInstanceProfile.new.client.config.credentials
     assert_equal 'akid',          credentials.credentials.access_key_id
     assert_equal 'secret',        credentials.credentials.secret_access_key
     assert_equal 'session-token', credentials.credentials.session_token
   end
 
   def test_instance_profile_refresh
+    Aws.shared_config.fresh
     setup_instance_profile(Time.now.utc + 299)
-    credentials = @object.client.config.credentials
+    credentials = MockClientInstanceProfile.new.client.config.credentials
     assert_equal 'akid-2',          credentials.credentials.access_key_id
     assert_equal 'secret-2',        credentials.credentials.secret_access_key
     assert_equal 'session-token-2', credentials.credentials.session_token
   end
 
+  def test_process_credentials
+    omit_if(Gem::Version.new(Aws::CORE_GEM_VERSION) < Gem::Version.new('3.24.0'))
+    credentials = MockClientProcessCredentials.new.client.config.credentials
+    assert_equal 'akid',          credentials.credentials.access_key_id
+    assert_equal 'secret',        credentials.credentials.secret_access_key
+    assert_equal 'session-token', credentials.credentials.session_token
+  end
+
   private
 
   def setup_instance_profile(expiration = Time.now.utc + 3600)
@@ -89,9 +125,9 @@ def setup_instance_profile(expiration = Time.now.utc + 3600)
     JSON
     path = '/latest/meta-data/iam/security-credentials/'
     stub_request(:get, "http://169.254.169.254#{path}").
-      to_return(:status => 200, :body => "profile-name\n")
+        to_return(:status => 200, :body => "profile-name\n")
     stub_request(:get, "http://169.254.169.254#{path}profile-name").
-      to_return(:status => 200, :body => resp).
-      to_return(:status => 200, :body => resp2)
+        to_return(:status => 200, :body => resp).
+        to_return(:status => 200, :body => resp2)
   end
 end