support role temporary credential in connector tutorial (opensearch-project#3058) (opensearch-project#3084)

opensearch-trigger-bot[bot] · ylwu-amzn · web-flow · commit c2928f57084b · 2024-10-09T13:09:37.000-07:00
Signed-off-by: Yaliang Wu <ylwu@amazon.com> (cherry picked from commit 75d454e) Co-authored-by: Yaliang Wu <ylwu@amazon.com>
diff --git a/docs/tutorials/aws/AIConnectorHelper.ipynb b/docs/tutorials/aws/AIConnectorHelper.ipynb
@@ -18,12 +18,13 @@
     "# This Python code is compatible with AWS OpenSearch versions 2.9 and higher.\n",
     "class AIConnectorHelper:\n",
     "    \n",
-    "    def __init__(self, region, opensearch_domain_name, opensearch_domain_username, opensearch_domain_password, aws_user_name):\n",
+    "    def __init__(self, region, opensearch_domain_name, opensearch_domain_username, opensearch_domain_password, aws_user_name, aws_role_name):\n",
     "        self.region = region\n",
     "        self.opensearch_domain_url, self.opensearch_domain_arn = AIConnectorHelper.get_opensearch_domain_info(region, opensearch_domain_name)\n",
     "        self.opensearch_domain_username = opensearch_domain_username\n",
     "        self.opensearch_domain_opensearch_domain_password = opensearch_domain_password\n",
     "        self.aws_user_name = aws_user_name\n",
+    "        self.aws_role_name = aws_role_name\n",
     "        \n",
     "    @staticmethod    \n",
     "    def get_opensearch_domain_info(region, domain_name):\n",
@@ -46,6 +47,8 @@
     "            return None, None\n",
     "        \n",
     "    def get_user_arn(self, username):\n",
+    "        if not username:\n",
+    "            return None\n",
     "        # Create a boto3 client for IAM\n",
     "        iam_client = boto3.client('iam')\n",
     "\n",
@@ -172,6 +175,8 @@
     "            return None\n",
     "\n",
     "    def get_role_arn(self, role_name):\n",
+    "        if not role_name:\n",
+    "            return None\n",
     "        iam_client = boto3.client('iam')\n",
     "        try:\n",
     "            response = iam_client.get_role(RoleName=role_name)\n",
@@ -374,7 +379,7 @@
     "            \"Statement\": [\n",
     "                {\n",
     "                    \"Action\": [\n",
-    "                        \"secretsmanager:GetSecretValue\"\n",
+    "                        \"secretsmanager:GetSecretValue\",\n",
     "                        \"secretsmanager:DescribeSecret\"\n",
     "                    ],\n",
     "                    \"Effect\": \"Allow\",\n",
@@ -395,17 +400,27 @@
     "        # Step 3: Configure IAM role in OpenSearch\n",
     "        # 3.1 Create IAM role for Signing create connector request\n",
     "        user_arn = self.get_user_arn(self.aws_user_name)\n",
+    "        role_arn = self.get_role_arn(self.aws_role_name)\n",
+    "        statements = []\n",
+    "        if user_arn:\n",
+    "            statements.append({\n",
+    "                \"Effect\": \"Allow\",\n",
+    "                \"Principal\": {\n",
+    "                    \"AWS\": user_arn\n",
+    "                },\n",
+    "                \"Action\": \"sts:AssumeRole\"\n",
+    "            })\n",
+    "        if role_arn:\n",
+    "            statements.append({\n",
+    "                \"Effect\": \"Allow\",\n",
+    "                \"Principal\": {\n",
+    "                    \"AWS\": role_arn\n",
+    "                },\n",
+    "                \"Action\": \"sts:AssumeRole\"\n",
+    "            })\n",
     "        trust_policy = {\n",
     "            \"Version\": \"2012-10-17\",\n",
-    "            \"Statement\": [\n",
-    "                {\n",
-    "                    \"Effect\": \"Allow\",\n",
-    "                    \"Principal\": {\n",
-    "                        \"AWS\": user_arn\n",
-    "                    },\n",
-    "                    \"Action\": \"sts:AssumeRole\"\n",
-    "                }\n",
-    "            ]\n",
+    "            \"Statement\": statements\n",
     "        }\n",
     "\n",
     "        inline_policy = {\n",
@@ -486,17 +501,27 @@
     "        # Step 2: Configure IAM role in OpenSearch\n",
     "        # 2.1 Create IAM role for Signing create connector request\n",
     "        user_arn = self.get_user_arn(self.aws_user_name)\n",
+    "        role_arn = self.get_role_arn(self.aws_role_name)\n",
+    "        statements = []\n",
+    "        if user_arn:\n",
+    "            statements.append({\n",
+    "                \"Effect\": \"Allow\",\n",
+    "                \"Principal\": {\n",
+    "                    \"AWS\": user_arn\n",
+    "                },\n",
+    "                \"Action\": \"sts:AssumeRole\"\n",
+    "            })\n",
+    "        if role_arn:\n",
+    "            statements.append({\n",
+    "                \"Effect\": \"Allow\",\n",
+    "                \"Principal\": {\n",
+    "                    \"AWS\": role_arn\n",
+    "                },\n",
+    "                \"Action\": \"sts:AssumeRole\"\n",
+    "            })\n",
     "        trust_policy = {\n",
     "            \"Version\": \"2012-10-17\",\n",
-    "            \"Statement\": [\n",
-    "                {\n",
-    "                    \"Effect\": \"Allow\",\n",
-    "                    \"Principal\": {\n",
-    "                        \"AWS\": user_arn\n",
-    "                    },\n",
-    "                    \"Action\": \"sts:AssumeRole\"\n",
-    "                }\n",
-    "            ]\n",
+    "            \"Statement\": statements\n",
     "        }\n",
     "\n",
     "        inline_policy = {\n",
@@ -571,20 +596,32 @@
     "opensearch_domain_password = '...' # set your domain password\n",
     "\n",
     "aws_user_name = '...' # set your AWS IAM user name, not IAM user ARN. \n",
-    "            # To avoid permission issue and quick start, you can use user whith AdministratorAccess policy\n",
+    "            # To avoid permission issue and quick start, you can use user with AdministratorAccess policy\n",
     "            # Configure this user's access key and secret key in ~/.aws/credential \n",
     "            # You can configure ~/.aws/credential as:\n",
     "'''\n",
     "[default]\n",
     "AWS_ACCESS_KEY_ID = YOUR_ACCESS_KEY_ID\n",
     "AWS_SECRET_ACCESS_KEY = YOUR_SECRET_ACCESS_KEY\n",
     "'''\n",
+    "aws_role_name = '...' # set your AWS IAM role name, not IAM role ARN.\n",
+    "            # To avoid permission issue and quick start, you can use role with AdministratorAccess policy\n",
+    "            # You can configure role temporary credential in ~/.aws/credential as:\n",
+    "'''\n",
+    "[default]\n",
+    "AWS_ACCESS_KEY_ID = YOUR_ACCESS_KEY_ID\n",
+    "AWS_SECRET_ACCESS_KEY = YOUR_SECRET_ACCESS_KEY\n",
+    "AWS_SESSION_TOKEN = YOUR_AWS_SESSION_TOKEN\n",
+    "'''\n",
+    "# You must set either aws_user_name or aws_role_name. \n",
+    "# You can set the one which you don't need as None. For example aws_role_name=None\n",
     "\n",
     "helper = AIConnectorHelper(region, \n",
     "                           opensearch_domain_name, \n",
     "                           opensearch_domain_username, \n",
     "                           opensearch_domain_password, \n",
-    "                           aws_user_name)"
+    "                           aws_user_name,\n",
+    "                           aws_role_name)"
    ]
   },
   {
