Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aws-efs-utils for openSUSE:Factory checked in at 2023-04-01 19:32:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aws-efs-utils (Old) and /work/SRC/openSUSE:Factory/.aws-efs-utils.new.9019 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-efs-utils" Sat Apr 1 19:32:14 2023 rev:15 rq:1076546 version:1.35.0 Changes: -------- --- /work/SRC/openSUSE:Factory/aws-efs-utils/aws-efs-utils.changes 2023-01-25 18:03:46.774767587 +0100 +++ /work/SRC/openSUSE:Factory/.aws-efs-utils.new.9019/aws-efs-utils.changes 2023-04-01 19:32:15.377351941 +0200 @@ -1,0 +2,9 @@ +Fri Mar 31 08:49:42 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaub...@suse.com> + +- Update to version 1.35.0 + * Add parameters to allow mount fo pod impersonation feature in EFS CSI Driver + * Updated the README with support of Oracle8 distribution + * Readme troubleshooting section + table of contents + * Add efs-utils Support for MacOS Ventura EC2 instances + +------------------------------------------------------------------- Old: ---- efs-utils-1.34.5.tar.gz New: ---- efs-utils-1.35.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aws-efs-utils.spec ++++++ --- /var/tmp/diff_new_pack.cY6eKb/_old 2023-04-01 19:32:15.925354817 +0200 +++ /var/tmp/diff_new_pack.cY6eKb/_new 2023-04-01 19:32:15.929354838 +0200 @@ -17,7 +17,7 @@ Name: aws-efs-utils -Version: 1.34.5 +Version: 1.35.0 Release: 0 Summary: Utilities for using the EFS file systems License: MIT ++++++ efs-utils-1.34.5.tar.gz -> efs-utils-1.35.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/README.md new/efs-utils-1.35.0/README.md --- old/efs-utils-1.34.5/README.md 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/README.md 2023-03-16 19:07:54.000000000 +0100 @@ -6,28 +6,29 @@ The `efs-utils` package has been verified against the following Linux distributions: -| Distribution | Package Type | `init` System | -| ------------ | ------------ | ------------- | +| Distribution | Package Type | `init` System | +|----------------------| ----- | --------- | | Amazon Linux 2017.09 | `rpm` | `upstart` | -| Amazon Linux 2 | `rpm` | `systemd` | -| CentOS 7 | `rpm` | `systemd` | -| CentOS 8 | `rpm` | `systemd` | -| RHEL 7 | `rpm`| `systemd` | -| RHEL 8 | `rpm`| `systemd` | -| Fedora 28 | `rpm` | `systemd` | -| Fedora 29 | `rpm` | `systemd` | -| Fedora 30 | `rpm` | `systemd` | -| Fedora 31 | `rpm` | `systemd` | -| Fedora 32 | `rpm` | `systemd` | -| Debian 9 | `deb` | `systemd` | -| Debian 10 | `deb` | `systemd` | -| Ubuntu 16.04 | `deb` | `systemd` | -| Ubuntu 18.04 | `deb` | `systemd` | -| Ubuntu 20.04 | `deb` | `systemd` | -| OpenSUSE Leap | `rpm` | `systemd` | -| OpenSUSE Tumbleweed | `rpm` | `systemd` | -| SLES 12 | `rpm` | `systemd` | -| SLES 15 | `rpm` | `systemd` | +| Amazon Linux 2 | `rpm` | `systemd` | +| CentOS 7 | `rpm` | `systemd` | +| CentOS 8 | `rpm` | `systemd` | +| RHEL 7 | `rpm`| `systemd` | +| RHEL 8 | `rpm`| `systemd` | +| Fedora 28 | `rpm` | `systemd` | +| Fedora 29 | `rpm` | `systemd` | +| Fedora 30 | `rpm` | `systemd` | +| Fedora 31 | `rpm` | `systemd` | +| Fedora 32 | `rpm` | `systemd` | +| Debian 9 | `deb` | `systemd` | +| Debian 10 | `deb` | `systemd` | +| Ubuntu 16.04 | `deb` | `systemd` | +| Ubuntu 18.04 | `deb` | `systemd` | +| Ubuntu 20.04 | `deb` | `systemd` | +| OpenSUSE Leap | `rpm` | `systemd` | +| OpenSUSE Tumbleweed | `rpm` | `systemd` | +| Oracle8 | `rpm` | `systemd` | +| SLES 12 | `rpm` | `systemd` | +| SLES 15 | `rpm` | `systemd` | The `efs-utils` package has been verified against the following MacOS distributions: @@ -35,6 +36,44 @@ | -------------- | ------------- | | MacOS Big Sur | `launchd` | | MacOS Monterey | `launchd` | +| MacOS Ventura | `launchd` | + +## README contents + - [Prerequisites](#prerequisites) + - [Optional](#optional) + - [Installation](#installation) + - [On Amazon Linux distributions](#on-amazon-linux-distributions) + - [Install via AWS Systems Manager Distributor](#install-via-aws-systems-manager-distributor) + - [On other Linux distributions](#on-other-linux-distributions) + - [On MacOS Big Sur, macOS Monterey and macOS Ventura distribution](#on-macos-big-sur-macos-monterey-and-macos-ventura-distribution) + - [Run tests](#run-tests) + - [Usage](#usage) + - [mount.efs](#mountefs) + - [MacOS](#macos) + - [amazon-efs-mount-watchdog](#amazon-efs-mount-watchdog) + - [Troubleshooting](#troubleshooting) + - [Upgrading stunnel for RHEL/CentOS](#upgrading-stunnel-for-rhelcentos) + - [Upgrading stunnel for SLES12](#upgrading-stunnel-for-sles12) + - [Upgrading stunnel for MacOS](#upgrading-stunnel-for-macos) + - [Install botocore](#install-botocore) + - [RPM](#rpm) + - [DEB](#deb) + - [On Debian10 and Ubuntu20, the botocore needs to be installed in specific target folder](#on-debian10-and-ubuntu20-the-botocore-needs-to-be-installed-in-specific-target-folder) + - [To install botocore on MacOS](#to-install-botocore-on-macos) + - [Upgrade botocore](#upgrade-botocore) + - [Enable mount success/failure notification via CloudWatch log](#enable-mount-successfailure-notification-via-cloudwatch-log) + - [Step 1. Install botocore](#step-1-install-botocore) + - [Step 2. Enable CloudWatch log feature in efs-utils config file `/etc/amazon/efs/efs-utils.conf`](#step-2-enable-cloudwatch-log-feature-in-efs-utils-config-file-etcamazonefsefs-utilsconf) + - [Step 3. Attach the CloudWatch logs policy to the IAM role attached to instance.](#step-3-attach-the-cloudwatch-logs-policy-to-the-iam-role-attached-to-instance) + - [Optimize readahead max window size on Linux 5.4+](#optimize-readahead-max-window-size-on-linux-54) + - [Using botocore to retrieve mount target ip address when dns name cannot be resolved](#using-botocore-to-retrieve-mount-target-ip-address-when-dns-name-cannot-be-resolved) + - [Step 1. Install botocore](#step-1-install-botocore-1) + - [Step 2. Allow DescribeMountTargets and DescribeAvailabilityZones action in the IAM policy](#step-2-allow-describemounttargets-and-describeavailabilityzones-action-in-the-iam-policy) + - [The way to access instance metadata](#the-way-to-access-instance-metadata) + - [Use the assumed profile credentials for IAM](#use-the-assumed-profile-credentials-for-iam) + - [Enabling FIPS Mode](#enabling-fips-mode) + - [License Summary](#license-summary) + ## Prerequisites @@ -117,31 +156,20 @@ $ sudo apt-get -y install ./build/amazon-efs-utils*deb ``` -### On MacOS Big Sur and macOS Monterey distribution +### On MacOS Big Sur, macOS Monterey and macOS Ventura distribution -For EC2 Mac instances running macOS Big Sur and macOS Monterey, you can install amazon-efs-utils from the +For EC2 Mac instances running macOS Big Sur, macOS Monterey and macOS Ventura, you can install amazon-efs-utils from the [homebrew-aws](https://github.com/aws/homebrew-aws) respository. **Note that this will ONLY work on EC2 instances -running macOS Big Sur and macOS Monterey, not local Mac computers.** +running macOS Big Sur, macOS Monterey and macOS Ventura, not local Mac computers.** ```bash brew install amazon-efs-utils ``` -This will install amazon-efs-utils on your EC2 Mac Instance running macOS Big Sur and macOS Monterey in the directory `/usr/local/Cellar/amazon-efs-utils`. At the end of the installation, it will print a set of commands that must be executed in order to start using efs-utils. The instructions that are printed after amazon-efs-utils and must be executed are: - +This will install amazon-efs-utils on your EC2 Mac Instance running macOS Big Sur, macOS Monterey and macOS Ventura in the directory `/usr/local/Cellar/amazon-efs-utils`. + +***Follow the instructions in caveats when using efs-utils on EC2 Mac instance for the first time.*** To check the package caveats run below command ```bash -# Perform below actions to start using efs: - sudo mkdir -p /Library/Filesystems/efs.fs/Contents/Resources - sudo ln -s /usr/local/bin/mount.efs /Library/Filesystems/efs.fs/Contents/Resources/mount_efs - -# Perform below actions to stop using efs: - sudo rm /Library/Filesystems/efs.fs/Contents/Resources/mount_efs - -# To enable watchdog for using TLS mounts: - sudo cp /usr/local/Cellar/amazon-efs-utils/<version>/libexec/amazon-efs-mount-watchdog.plist /Library/LaunchAgents - sudo launchctl load /Library/LaunchAgents/amazon-efs-mount-watchdog.plist - -# To disable watchdog for using TLS mounts: - sudo launchctl unload /Library/LaunchAgents/amazon-efs-mount-watchdog.plist +brew info amazon-efs-utils ``` #### Run tests @@ -246,6 +274,18 @@ `efs-utils` contains a watchdog process to monitor the health of TLS mounts. This process is managed by either `upstart` or `systemd` depending on your Linux distribution and `launchd` on Mac distribution, and is started automatically the first time an EFS file system is mounted over TLS. +## Troubleshooting +If you run into a problem with efs-utils, please open an issue in this repository. We can more easily +assist you if relevant logs are provided. You can find the log file at `/var/log/amazon/efs/mount.log`. + +Often times, enabling debug level logging can help us find problems more easily. To do this, run +`sed -i '/logging_level = INFO/s//logging_level = DEBUG/g' /etc/amazon/efs/efs-utils.conf`. + +You can also enable stunnel debug logs with +`sed -i '/stunnel_debug_enabled = false/s//stunnel_debug_enabled = true/g' /etc/amazon/efs/efs-utils.conf`. + +Make sure to perform the failed mount again after running the prior commands before pulling the logs. + ## Upgrading stunnel for RHEL/CentOS By default, when using the EFS mount helper with TLS, it enforces certificate hostname checking. The EFS mount helper uses the `stunnel` program for its TLS functionality. Please note that some versions of Linux do not include a version of `stunnel` that supports TLS features by default. When using such a Linux version, mounting an EFS file system using TLS will fail. @@ -353,7 +393,13 @@ - For MacOS: ```bash -sudo sed -i -e '/\[cloudwatch-log\]/{N;s/# enabled = true/enabled = true/;}' /usr/local/Cellar/amazon-efs-utils/<version>/libexec/etc/amazon/efs/efs-utils.conf + EFS_UTILS_VERSION=<e.g. 1.34.5> + sudo sed -i -e '/\[cloudwatch-log\]/{N;s/# enabled = true/enabled = true/;}' /usr/local/Cellar/amazon-efs-utils/${EFS_UTILS_VERSION}/libexec/etc/amazon/efs/efs-utils.conf +``` +- For Mac2 instance: +```bash + EFS_UTILS_VERSION=<e.g. 1.34.5> + sudo sed -i -e '/\[cloudwatch-log\]/{N;s/# enabled = true/enabled = true/;}' /opt/homebrew/Cellar/amazon-efs-utils/${EFS_UTILS_VERSION}/libexec/etc/amazon/efs/efs-utils.conf ``` You can also configure CloudWatch log group name and log retention days in the config file. If you want to have separate log groups in Cloudwatch for every mounted file system, add `/{fs_id}` to the end of the `log_group_name` field in `efs-utils.conf` file. For example, the `log_group_name` in `efs-utils.conf` file would look something like: @@ -362,7 +408,6 @@ [cloudwatch-log] log_group_name = /aws/efs/utils/{fs_id} ``` - ### Step 3. Attach the CloudWatch logs policy to the IAM role attached to instance. Attach AWS managed policy `AmazonElasticFileSystemsUtils` to the iam role you attached to the instance, or the aws credentials configured on your instance. @@ -478,6 +523,22 @@ credential_source = Ec2InstanceMetadata ``` +## Use AssumeRoleWithWebIdentity + +You can use [web identity to assume a role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) which has the permission to attach to the EFS filesystem. You need to have a valid JWT token and a role arn to assume. There are two ways you can leverage them: + +1) By setting environment variable the path to the file containing the JWT token in `AWS_WEB_IDENTITY_TOKEN_FILE` and by setting `ROLE_ARN` environment variable. The command below shows an example of to leverage it. + +```bash +$ sudo mount -t efs -o tls,iam file-system-id efs-mount-point/ +``` + +2) By passing the JWT token file path and the role arn as parameters to the mount command. The command below shows an example of to leverage it. + +```bash +$ sudo mount -t efs -o tls,iam,rolearn="ROLE_ARN",jwtpath="PATH/JWT_TOKEN_FILE" file-system-id efs-mount-point/ +``` + ## Enabling FIPS Mode Efs-Utils is able to enter FIPS mode when mounting your file system. To enable FIPS you need to modify the EFS-Utils config file: ```bash @@ -496,6 +557,7 @@ ``` For more information on how to configure OpenSSL with FIPS see the [OpenSSL FIPS README](https://github.com/openssl/openssl/blob/master/README-FIPS.md). + ## License Summary This code is made available under the MIT license. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/amazon-efs-utils.spec new/efs-utils-1.35.0/amazon-efs-utils.spec --- old/efs-utils-1.34.5/amazon-efs-utils.spec 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/amazon-efs-utils.spec 2023-03-16 19:07:54.000000000 +0100 @@ -35,7 +35,7 @@ %endif Name : amazon-efs-utils -Version : 1.34.5 +Version : 1.35.0 Release : 1%{platform} Summary : This package provides utilities for simplifying the use of EFS file systems @@ -137,6 +137,11 @@ %clean %changelog +* Wed Mar 15 2023 Soyeon Ju <mjsoy...@amazon.com> - 1.35.0 +- Support MacOS Ventura, Oracle8 distribution +- Add debug statement for size of state file write +- Add parameters in mount options for assume web role with web identity + * Wed Jan 1 2023 Ryan Stankiewicz <rjst...@amazon.com> - 1.34.5 - Watchdog detect empty private key and regenerate - Update man page diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/build-deb.sh new/efs-utils-1.35.0/build-deb.sh --- old/efs-utils-1.34.5/build-deb.sh 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/build-deb.sh 2023-03-16 19:07:54.000000000 +0100 @@ -11,7 +11,7 @@ BASE_DIR=$(pwd) BUILD_ROOT=${BASE_DIR}/build/debbuild -VERSION=1.34.5 +VERSION=1.35.0 RELEASE=1 DEB_SYSTEM_RELEASE_PATH=/etc/os-release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/config.ini new/efs-utils-1.35.0/config.ini --- old/efs-utils-1.34.5/config.ini 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/config.ini 2023-03-16 19:07:54.000000000 +0100 @@ -7,5 +7,5 @@ # [global] -version=1.34.5 +version=1.35.0 release=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/dist/amazon-efs-utils.control new/efs-utils-1.35.0/dist/amazon-efs-utils.control --- old/efs-utils-1.34.5/dist/amazon-efs-utils.control 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/dist/amazon-efs-utils.control 2023-03-16 19:07:54.000000000 +0100 @@ -1,6 +1,6 @@ Package: amazon-efs-utils Architecture: all -Version: 1.34.5 +Version: 1.35.0 Section: utils Depends: python3, nfs-common, stunnel4 (>= 4.56), openssl (>= 1.0.2), util-linux Priority: optional diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/man/mount.efs.8 new/efs-utils-1.35.0/man/mount.efs.8 --- old/efs-utils-1.34.5/man/mount.efs.8 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/man/mount.efs.8 2023-03-16 19:07:54.000000000 +0100 @@ -98,6 +98,12 @@ environment variable, the AssumeRoleWithWebIdentity, the EC2 instance profile\&. The first location that has credentials will be used. This option requires the \fBtls\fR option\&. .TP +\fBrolearn\fR +Role ARN for IAM authentication with AssumeRoleWithWebIdentity API\&. +.TP +\fBjwtpath\fR +Identity token for IAM authentication with AssumeRoleWithWebIdentity API\&. +.TP \fBaccesspoint\fR Mount the EFS file system using the specified access point. This option requires the \ \fBtls\fR option\&. The access point must be in the "available" state before it \ @@ -186,6 +192,11 @@ with encryption of data in transit. The mount helper will authenticate with EFS using \ the system's IAM identity\&. .TP +sudo mount -t efs -o tls,iam,rolearn="ROLE_ARN",jwtpath="PATH/JWT_TOKEN_FILE" fs-abcd1234 /mnt/efs +Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" \ +with encryption of data in transit. The mount helper will assume the role "ROLE_ARN" by calling \ +the AssumeRoleWithWebIdentity API with the identity token at "PATH/JWT_TOKEN_FILE"\&. +.TP sudo mount -t efs -o tls,iam,awsprofile=test-profile fs-abcd1234 /mnt/efs Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" \ with encryption of data in transit. The mount helper will authenticate with EFS using \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/src/mount_efs/__init__.py new/efs-utils-1.35.0/src/mount_efs/__init__.py --- old/efs-utils-1.34.5/src/mount_efs/__init__.py 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/src/mount_efs/__init__.py 2023-03-16 19:07:54.000000000 +0100 @@ -85,7 +85,7 @@ BOTOCORE_PRESENT = False -VERSION = "1.34.5" +VERSION = "1.35.0" SERVICE = "elasticfilesystem" AMAZON_LINUX_2_RELEASE_ID = "Amazon Linux release 2 (Karoo)" @@ -236,6 +236,8 @@ "tls", "tlsport", "verify", + "rolearn", + "jwtpath", ] UNSUPPORTED_OPTIONS = ["capath"] @@ -268,6 +270,8 @@ OS_RELEASE_PATH = "/etc/os-release" MACOS_BIG_SUR_RELEASE = "macOS-11" MACOS_MONTEREY_RELEASE = "macOS-12" +MACOS_VENTURA_RELEASE = "macOS-13" + # Multiplier for max read ahead buffer size # Set default as 15 aligning with prior linux kernel 5.4 @@ -276,11 +280,15 @@ NFS_READAHEAD_OPTIMIZE_LINUX_KERNEL_MIN_VERSION = [5, 4] # MacOS does not support the property of Socket SO_BINDTODEVICE in stunnel configuration -SKIP_NO_SO_BINDTODEVICE_RELEASES = [MACOS_BIG_SUR_RELEASE, MACOS_MONTEREY_RELEASE] +SKIP_NO_SO_BINDTODEVICE_RELEASES = [ + MACOS_BIG_SUR_RELEASE, + MACOS_MONTEREY_RELEASE, + MACOS_VENTURA_RELEASE, +] MAC_OS_PLATFORM_LIST = ["darwin"] -# MacOS Versions : Monterey - 21.*, Big Sur - 20.*, Catalina - 19.*, Mojave - 18.*. Catalina and Mojave are not supported for now -MAC_OS_SUPPORTED_VERSION_LIST = ["20", "21"] +# MacOS Versions : Ventura - 22.*, Monterey - 21.*, Big Sur - 20.*, Catalina - 19.*, Mojave - 18.*. Catalina and Mojave are not supported for now +MAC_OS_SUPPORTED_VERSION_LIST = ["20", "21", "22"] AWS_FIPS_ENDPOINT_CONFIG_ENV = "AWS_USE_FIPS_ENDPOINT" ECS_URI_ENV = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" @@ -546,13 +554,24 @@ def get_aws_security_credentials( - config, use_iam, region, awsprofile=None, aws_creds_uri=None + config, + use_iam, + region, + awsprofile=None, + aws_creds_uri=None, + jwt_path=None, + role_arn=None, ): """ - Lookup AWS security credentials (access key ID and secret access key). Adapted credentials provider chain from: + Lookup AWS security credentials. Adapted credentials provider chain from: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html and https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html + + If iam is enabled, this function will return two objects, credentials and credentials_source. + credentials is a dictionary with three keys, "AccessKeyId", "SecretAccessKey", and "Token". + credentials_source will be a string that describes the method by which the credentials were obtained. """ + if not use_iam: return None, None @@ -576,6 +595,17 @@ # attempt to lookup AWS security credentials through AssumeRoleWithWebIdentity # (e.g. for IAM Role for Service Accounts (IRSA) approach on EKS) + if jwt_path and role_arn: + credentials, credentials_source = get_aws_security_credentials_from_webidentity( + config, + role_arn, + jwt_path, + region, + False, + ) + if credentials and credentials_source: + return credentials, credentials_source + if ( WEB_IDENTITY_ROLE_ARN_ENV in os.environ and WEB_IDENTITY_TOKEN_FILE_ENV in os.environ @@ -1546,8 +1576,12 @@ if use_iam: aws_creds_uri = options.get("awscredsuri") + role_arn = options.get("rolearn") + jwt_path = options.get("jwtpath") if aws_creds_uri: kwargs = {"aws_creds_uri": aws_creds_uri} + elif role_arn and jwt_path: + kwargs = {"role_arn": role_arn, "jwt_path": jwt_path} else: kwargs = {"awsprofile": get_aws_profile(options, use_iam)} @@ -1557,6 +1591,10 @@ if credentials_source: cert_details["awsCredentialsMethod"] = credentials_source + logging.debug( + "AWS credentials source used for IAM authentication: ", + credentials_source, + ) if ap_id: cert_details["accessPoint"] = ap_id diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/src/watchdog/__init__.py new/efs-utils-1.35.0/src/watchdog/__init__.py --- old/efs-utils-1.34.5/src/watchdog/__init__.py 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/src/watchdog/__init__.py 2023-03-16 19:07:54.000000000 +0100 @@ -56,7 +56,7 @@ AMAZON_LINUX_2_RELEASE_ID, AMAZON_LINUX_2_PRETTY_NAME, ] -VERSION = "1.34.5" +VERSION = "1.35.0" SERVICE = "elasticfilesystem" CONFIG_FILE = "/etc/amazon/efs/efs-utils.conf" @@ -1051,6 +1051,12 @@ def rewrite_state_file(state, state_file_dir, state_file): tmp_state_file = os.path.join(state_file_dir, "~%s" % state_file) + logging.debug( + "Rewriting state file: writing " + + str(len(json.dumps(state))) + + " characters into the state file " + + str(tmp_state_file) + ) with open(tmp_state_file, "w") as f: json.dump(state, f) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/test/mount_efs_test/test_get_aws_security_credentials.py new/efs-utils-1.35.0/test/mount_efs_test/test_get_aws_security_credentials.py --- old/efs-utils-1.34.5/test/mount_efs_test/test_get_aws_security_credentials.py 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/test/mount_efs_test/test_get_aws_security_credentials.py 2023-03-16 19:07:54.000000000 +0100 @@ -41,6 +41,9 @@ AWSPROFILE = "test_profile" AWSCREDSURI = "/v2/credentials/{uuid}" +WEB_IDENTITY_ROLE_ARN = "FAKE_ROLE_ARN" +WEB_IDENTITY_TOKEN_FILE = "WEB_IDENTITY_TOKEN_FILE" + class MockHeaders(object): def __init__(self, content_charset=None): @@ -434,3 +437,72 @@ % fake_file in [rec.message for rec in caplog.records][0] ) + + +def test_get_aws_security_credentials_from_webidentity_passed_in_both_params(mocker): + config = get_fake_config() + creds_mocked = { + "AccessKeyId": ACCESS_KEY_ID_VAL, + "SecretAccessKey": SECRET_ACCESS_KEY_VAL, + "Token": SESSION_TOKEN_VAL, + } + credentials_source_mocked = "webidentity:" + ",".join( + [WEB_IDENTITY_ROLE_ARN, WEB_IDENTITY_TOKEN_FILE] + ) + + mocker.patch.dict(os.environ, {}) + mocker.patch( + "mount_efs.get_aws_security_credentials_from_webidentity", + return_value=(creds_mocked, credentials_source_mocked), + ) + + credentials, credentials_source = mount_efs.get_aws_security_credentials( + config, + True, + "us-east-1", + jwt_path=WEB_IDENTITY_TOKEN_FILE, + role_arn=WEB_IDENTITY_ROLE_ARN, + ) + + assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL + assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL + assert credentials["Token"] == SESSION_TOKEN_VAL + assert credentials_source == credentials_source_mocked + + +def test_get_aws_security_credentials_from_webidentity_passed_in_one_param( + mocker, capsys +): + config = get_fake_config(False) + creds_mocked = { + "AccessKeyId": ACCESS_KEY_ID_VAL, + "SecretAccessKey": SECRET_ACCESS_KEY_VAL, + "Token": SESSION_TOKEN_VAL, + } + credentials_source_mocked = "webidentity:" + ",".join( + [WEB_IDENTITY_ROLE_ARN, WEB_IDENTITY_TOKEN_FILE] + ) + + mocker.patch.dict(os.environ, {}) + mocker.patch( + "mount_efs.get_aws_security_credentials_from_webidentity", + return_value=(creds_mocked, credentials_source_mocked), + ) + mocker.patch("mount_efs.get_iam_role_name", return_value=None) + + with pytest.raises(SystemExit) as ex: + mount_efs.get_aws_security_credentials( + config, True, "us-east-1", jwt_path=WEB_IDENTITY_TOKEN_FILE + ) + + assert 0 != ex.value.code + + out, err = capsys.readouterr() + assert ( + "AWS Access Key ID and Secret Access Key are not found in AWS credentials file" + in err + ) + assert ( + "from ECS credentials relative uri, or from the instance security credentials service" + in err + ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/efs-utils-1.34.5/test/watchdog_test/test_get_aws_security_credentials.py new/efs-utils-1.35.0/test/watchdog_test/test_get_aws_security_credentials.py --- old/efs-utils-1.34.5/test/watchdog_test/test_get_aws_security_credentials.py 2023-01-06 20:49:31.000000000 +0100 +++ new/efs-utils-1.35.0/test/watchdog_test/test_get_aws_security_credentials.py 2023-03-16 19:07:54.000000000 +0100 @@ -34,6 +34,9 @@ WRONG_SECRET_ACCESS_KEY_VAL = "WRONG_AWS_SECRET_ACCESS_KEY" WRONG_SESSION_TOKEN_VAL = "WRONG_SESSION_TOKEN" +ROLE_ARN = "fake_role_arn" +WEB_IDENTITY_TOKEN_FILE = "/fake_web_identity_token_file" + AWS_CONFIG_FILE = "fake_aws_config" DEFAULT_PROFILE = "DEFAULT" AWSPROFILE = "test_profile" @@ -434,3 +437,25 @@ assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL + + +def test_get_aws_security_credentials_webidentity(mocker): + config = get_fake_config() + credentials_source = "webidentity:" + ",".join([ROLE_ARN, WEB_IDENTITY_TOKEN_FILE]) + mock_response = { + "AccessKeyId": ACCESS_KEY_ID_VAL, + "SecretAccessKey": SECRET_ACCESS_KEY_VAL, + "Token": SESSION_TOKEN_VAL, + } + mocker.patch( + "watchdog.get_aws_security_credentials_from_webidentity", + return_value=mock_response, + ) + + credentials = watchdog.get_aws_security_credentials( + config, credentials_source, "us-east-1" + ) + + assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL + assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL + assert credentials["Token"] == SESSION_TOKEN_VAL
