Make session token duration configurable in AmazonWebServicesCredentialsBinding #52
Conversation
|
Hey @andresrc, could I please get a review on this? |
| AWSCredentials credentials = getCredentials(build).getCredentials(); | ||
| AmazonWebServicesCredentials credentialRetriever = getCredentials(build); | ||
| if (stsTokenDuration != null) { | ||
| credentialRetriever.setStsTokenDuration(stsTokenDuration); |
There was a problem hiding this comment.
This will potentially change the configuration in the credentials store, and thus change the behavior at least for all builds in the current session which do not specify this parameter.
There was a problem hiding this comment.
ah, I didn't realise this. Thanks for letting me know.
|
Perhaps you could have an |
nathandines
force-pushed
the
feature/request-session-duration
branch
from
61bef5c
to
5838c1f
Compare
| @@ -87,14 +88,25 @@ public String getSecretKeyVariable() { | |||
| return secretKeyVariable; | |||
| } | |||
|
|
|||
| @DataBoundSetter | |||
There was a problem hiding this comment.
You also need a matching public getter; and an update to config.jelly.
There was a problem hiding this comment.
Cheers. Just for my benefit, could you please point me to the docs explaining the need for both the setter and the getter together? Or just briefly explain why? I believe that it's necessary, but would appreciate a better understanding of it.
There was a problem hiding this comment.
Docs are not really written I am afraid. The getter is needed so that the equivalent of ${instance.stsTokenDuration} would work when reconfiguring an object from Jelly. Something like this would be evaluated by having a databound control inside an f:entry. You can get a test to fail against your code as written by using JenkinsRule.configRoundtrip with a SecretBuildWrapper (or StepConfigTester with a BindingStep, a bit more work), though it would be overkill if you are not doing anything out of the ordinary.
There was a problem hiding this comment.
Ah, okay. That makes sense. Thanks for the explanation :)
| return getCredentials(this.getStsTokenDuration()); | ||
| } | ||
|
|
||
| public AWSCredentials getCredentials(Integer stsTokenDuration) { |
There was a problem hiding this comment.
Probably int not Integer, or can this be null?
There was a problem hiding this comment.
I don't think it should generally be null. Probably better to prevent this.
I had used Integer rather than int, as it seems to be used pretty consistently across the project. For the moment, I've added the @NonNull annotation on it. Do you think this would be sufficient, or do you think I should still change it to int?
There was a problem hiding this comment.
Should be int unless you have a clear use case for a null value.
There was a problem hiding this comment.
Okay. Just changed it
nathandines
force-pushed
the
feature/request-session-duration
branch
2 times, most recently
from
fdbd780
to
f48977f
Compare
By enabling runtime configuration of the STS token duration, this enables a shorter token duration to be defined by default on a Jenkins master, but enables users to explicilty request a longer session token for longer running jobs. This helps to ensure that the credential lifetime is only as long as necessary.
nathandines
force-pushed
the
feature/request-session-duration
branch
from
f48977f
to
7e201fb
Compare
|
Hey @jglick, I made the requested changes last week. Are you able to re-review, please? |
|
No time, sorry, will leave it to the plugin maintainer (whoever that may be). |
| @@ -45,6 +45,7 @@ | |||
| String getDisplayName(); | |||
|
|
|||
| AWSCredentials getCredentials(String mfaToken); | |||
| AWSCredentials getCredentials(int stsTokenDuration); | |||
There was a problem hiding this comment.
Adding a new method is a binary incompatible change. Can you check if there are any implementations (at least in the jenkinsci organization) that could break? Anyway, some kind of notice would be needed.
There was a problem hiding this comment.
Hey @andresrc, I've just been thinking about this lately, what do you think if this change was removed, and the dependent class (AmazonWebServicesCredentialsBinding) was adjusted to reference our class rather than this interface?
As its usage is within the same package, I think this should be okay; could you please validate this? I'm not 100% sure on what's coming in through the build parameter, however, and not sure if this would influence whether the resulting var will always be of AWSCredentialsImpl type.
I haven't actually tested this theory, so it might not even functionally work, but just your thoughts on the approach before trying it.
Location: found here
AmazonWebServicesCredentials credentialRetriever = getCredentials(build);would become
AWSCredentialsImpl credentialRetriever = getCredentials(build);
AmazonWebServicesCredentialsBinding is often used as the entrypoint to using this plugin in Jenkins pipelines. This change allows developers to override the session token duration in their pipelines.
This can be convenient if it's preferable to have a lower default value for session durations, but need a longer duration for a specific operation such as baking a large AMI.
Example usage: