cube-js/cube

Added credentials chain support in AWS Athena Driver

Open

#2.306 aberto em 5 de mar. de 2021

Ver no GitHub
 (1 comment) (10 reactions) (0 assignees)Rust (1.965 forks)batch import
driver:athenahelp wanted

Métricas do repositório

Stars
 (19.563 stars)
Métricas de merge de PR
 (Mesclagem média 5d 16h) (138 fundiu PRs em 30d)

Description

Is your feature request related to a problem? Please describe. The Cubejs Athena driver supports only environment based credentials for permanent credentials according to what I see in the code (i.e. access and secret keys only). However, there are multiple ways to authenticate on AWS, including short-lived credentials that require not only access and security keys, but secret and session tokens. Forcing users to create long-lived credentials on their AWS account to support development or deployment of CubeJS doesn't seem the best way to go.

Describe the solution you'd like One solution is to modify the AthenaDriver credentials setup to use a credentials provider chain including the SharedIniFileCredentials:

    const envCreds = new AWS.Credentials({
      accessKeyId: process.env.CUBEJS_AWS_KEY,
      secretAccessKey: process.env.CUBEJS_AWS_SECRET,
      region: process.env.CUBEJS_AWS_REGION});
    const ec2Credentials = new AWS.EC2MetadataCredentials();  
    const sharedCreds = new AWS.SharedIniFileCredentials({profile: process.env.CUBEJS_AWS_PROFILE});  
    const chain = new AWS.CredentialProviderChain();
    chain.providers.push(sharedCreds);
    chain.providers.push(ec2Credentials);
    chain.providers.push(envCreds);

    this.config = {
//       accessKeyId: process.env.CUBEJS_AWS_KEY,
//       secretAccessKey: process.env.CUBEJS_AWS_SECRET,
      credentialProvider: chain,

This chain will try to acquire

  • credentials from the user ~/.aws/credentials file using the CUBEJS_AWS_PROFILE profile
  • credentials from the EC2 environment (when deployed on AWS, which means using the EC2 instance role)
  • credentials from the process.env.CUBEJS_XXX vars as last fallback

Describe alternatives you've considered None for now.

Additional context

Guia do colaborador