get dynamic secret from aws

2026-01-08 15:13:55 -05:00 · 2023-04-02 14:53:04 -07:00
parent 2a8a90c0c5
commit c41334ce26
3 changed files with 96 additions and 91 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -12,12 +12,12 @@
        "@aws-sdk/client-secrets-manager": "^3.281.0",
        "@godaddy/terminus": "^4.11.2",
        "@octokit/rest": "^19.0.5",
-        "@sentry/tracing": "^7.39.0",
        "@sentry/node": "^7.40.0",
+        "@sentry/tracing": "^7.39.0",
        "@types/crypto-js": "^4.1.1",
        "@types/libsodium-wrappers": "^0.7.10",
        "await-to-js": "^3.0.0",
-        "aws-sdk": "^2.1324.0",
+        "aws-sdk": "^2.1348.0",
        "axios": "^1.1.3",
        "axios-retry": "^3.4.0",
        "bcrypt": "^5.1.0",
@@ -2988,24 +2988,6 @@
      "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
      "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw=="
    },
-    "node_modules/@sentry/core": {
-      "version": "7.38.0",
-      "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.38.0.tgz",
-      "integrity": "sha512-+hXh/SO3Ie6WC2b+wi01xLhyVREdkRXS5QBmCiv3z2ks2HvYXp7PoKSXJvNKiwCP+pBD+enOnM1YEzM2yEy5yw==",
-      "dependencies": {
-        "@sentry/types": "7.38.0",
-        "@sentry/utils": "7.38.0",
-        "tslib": "^1.9.3"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/@sentry/core/node_modules/tslib": {
-      "version": "1.14.1",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-    },
    "node_modules/@sentry/node": {
      "version": "7.40.0",
      "resolved": "https://registry.npmjs.org/@sentry/node/-/node-7.40.0.tgz",
@@ -3113,31 +3095,6 @@
      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
    },
-    "node_modules/@sentry/types": {
-      "version": "7.38.0",
-      "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.38.0.tgz",
-      "integrity": "sha512-NKOALR6pNUMzUrsk2m+dkPrO8uGNvNh1LD0BCPswKNjC2qHo1h1mDGCgBmF9+EWyii8ZoACTIsxvsda+MBf97Q==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/@sentry/utils": {
-      "version": "7.38.0",
-      "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.38.0.tgz",
-      "integrity": "sha512-MgbI3YmYuyyhUtvcXkgGBqjOW+nuLLNGUdWCK+C4kObf8VbLt3dSE/7SEMT6TSHLYQmxs2BxFgx5Agn97m68kQ==",
-      "dependencies": {
-        "@sentry/types": "7.38.0",
-        "tslib": "^1.9.3"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/@sentry/utils/node_modules/tslib": {
-      "version": "1.14.1",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-    },
    "node_modules/@sinclair/typebox": {
      "version": "0.25.24",
      "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.25.24.tgz",
@@ -4114,9 +4071,9 @@
      }
    },
    "node_modules/aws-sdk": {
-      "version": "2.1324.0",
-      "resolved": "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1324.0.tgz",
-      "integrity": "sha512-7T9Jn6qtzCANdqRcdhxZ9Fx31/U+h/VPFxEU3+sFEnC7WtGtRlgmsJOY2lIdFKRXkHYT3Jw5MqDyjnb/i1QqbA==",
+      "version": "2.1348.0",
+      "resolved": "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1348.0.tgz",
+      "integrity": "sha512-nyqAuSsrvXdDcumC8/a3XGn7Zd7u2ucroz9ZwvNkMC+V6L7pRxnNKzSZDgKw+vCfjrpHFyCsXyribqfNUpolDA==",
      "dependencies": {
        "buffer": "4.9.2",
        "events": "1.1.1",
@@ -14804,23 +14761,6 @@
      "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
      "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw=="
    },
-    "@sentry/core": {
-      "version": "7.38.0",
-      "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.38.0.tgz",
-      "integrity": "sha512-+hXh/SO3Ie6WC2b+wi01xLhyVREdkRXS5QBmCiv3z2ks2HvYXp7PoKSXJvNKiwCP+pBD+enOnM1YEzM2yEy5yw==",
-      "requires": {
-        "@sentry/types": "7.38.0",
-        "@sentry/utils": "7.38.0",
-        "tslib": "^1.9.3"
-      },
-      "dependencies": {
-        "tslib": {
-          "version": "1.14.1",
-          "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-          "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-        }
-      }
-    },
    "@sentry/node": {
      "version": "7.40.0",
      "resolved": "https://registry.npmjs.org/@sentry/node/-/node-7.40.0.tgz",
@@ -14908,27 +14848,6 @@
        }
      }
    },
-    "@sentry/types": {
-      "version": "7.38.0",
-      "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.38.0.tgz",
-      "integrity": "sha512-NKOALR6pNUMzUrsk2m+dkPrO8uGNvNh1LD0BCPswKNjC2qHo1h1mDGCgBmF9+EWyii8ZoACTIsxvsda+MBf97Q=="
-    },
-    "@sentry/utils": {
-      "version": "7.38.0",
-      "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.38.0.tgz",
-      "integrity": "sha512-MgbI3YmYuyyhUtvcXkgGBqjOW+nuLLNGUdWCK+C4kObf8VbLt3dSE/7SEMT6TSHLYQmxs2BxFgx5Agn97m68kQ==",
-      "requires": {
-        "@sentry/types": "7.38.0",
-        "tslib": "^1.9.3"
-      },
-      "dependencies": {
-        "tslib": {
-          "version": "1.14.1",
-          "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-          "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-        }
-      }
-    },
    "@sinclair/typebox": {
      "version": "0.25.24",
      "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.25.24.tgz",
@@ -15678,9 +15597,9 @@
      "integrity": "sha512-zJAaP9zxTcvTHRlejau3ZOY4V7SRpiByf3/dxx2uyKxxor19tpmpV2QRsTKikckwhaPmr2dVpxxMr7jOCYVp5g=="
    },
    "aws-sdk": {
-      "version": "2.1324.0",
-      "resolved": "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1324.0.tgz",
-      "integrity": "sha512-7T9Jn6qtzCANdqRcdhxZ9Fx31/U+h/VPFxEU3+sFEnC7WtGtRlgmsJOY2lIdFKRXkHYT3Jw5MqDyjnb/i1QqbA==",
+      "version": "2.1348.0",
+      "resolved": "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1348.0.tgz",
+      "integrity": "sha512-nyqAuSsrvXdDcumC8/a3XGn7Zd7u2ucroz9ZwvNkMC+V6L7pRxnNKzSZDgKw+vCfjrpHFyCsXyribqfNUpolDA==",
      "requires": {
        "buffer": "4.9.2",
        "events": "1.1.1",
--- a/backend/package.json
+++ b/backend/package.json
@@ -3,12 +3,12 @@
    "@aws-sdk/client-secrets-manager": "^3.281.0",
    "@godaddy/terminus": "^4.11.2",
    "@octokit/rest": "^19.0.5",
-    "@sentry/tracing": "^7.39.0",
    "@sentry/node": "^7.40.0",
+    "@sentry/tracing": "^7.39.0",
    "@types/crypto-js": "^4.1.1",
    "@types/libsodium-wrappers": "^0.7.10",
    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1324.0",
+    "aws-sdk": "^2.1348.0",
    "axios": "^1.1.3",
    "axios-retry": "^3.4.0",
    "bcrypt": "^5.1.0",
--- a/backend/src/dynamic-secrets/aws/aws-dynamic-secret.js
+++ b/backend/src/dynamic-secrets/aws/aws-dynamic-secret.js
@@ -0,0 +1,86 @@
+import AWS from 'aws-sdk'
+
+export const createTemporaryIAMUser = async (rootAccessKeyId, rootSecretAccessKey, region, userName, policyDocument, durationInSeconds) => {
+  // Configure AWS SDK with your root user credentials
+  AWS.config.update({
+    accessKeyId: rootAccessKeyId,
+    secretAccessKey: rootSecretAccessKey,
+    region: region,
+  });
+
+  const iam = new AWS.IAM();
+  const sts = new AWS.STS();
+  // Get the account ID
+  const callerIdentity = await sts.getCallerIdentity().promise();
+  const accountId = callerIdentity.Account;
+
+  // Create the IAM role
+  const roleName = `Role-${userName}`;
+  const assumeRolePolicyDocument = {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Effect: 'Allow',
+        Principal: {
+          AWS: `arn:aws:iam::${accountId}:root`,
+        },
+        Action: 'sts:AssumeRole',
+      },
+    ],
+  };
+  const createRoleParams = {
+    RoleName: roleName,
+    AssumeRolePolicyDocument: JSON.stringify(assumeRolePolicyDocument),
+  };
+  const role = await iam.createRole(createRoleParams).promise();
+
+  // Create and attach the policy to the IAM role
+  const policyName = `Policy-${userName}`;
+  const createPolicyParams = {
+    PolicyName: policyName,
+    PolicyDocument: JSON.stringify(policyDocument),
+  };
+  const policy = await iam.createPolicy(createPolicyParams).promise();
+
+  const attachRolePolicyParams = {
+    PolicyArn: policy.Policy.Arn,
+    RoleName: roleName,
+  };
+  await iam.attachRolePolicy(attachRolePolicyParams).promise();
+
+  // Create temporary credentials for the IAM role
+  const assumeRoleParams = {
+    RoleArn: role.Role.Arn,
+    RoleSessionName: `TemporarySession-${userName}`,
+    DurationSeconds: durationInSeconds,
+  };
+  const credentials = await sts.assumeRole(assumeRoleParams).promise();
+
+  // Return the temporary credentials
+  return {
+    accessKeyId: credentials.Credentials.AccessKeyId,
+    secretAccessKey: credentials.Credentials.SecretAccessKey,
+    sessionToken: credentials.Credentials.SessionToken,
+  };
+};
+
+// module.exports = createTemporaryIAMUser;
+
+
+
+
+
+
+// // Example policy document
+// const policyDocument = {
+//   Version: '2012-10-17',
+//   Statement: [
+//     {
+//       Action: 's3:ListBucket',
+//       Effect: 'Allow',
+//       Resource: 'arn:aws:s3:::example-bucket',
+//     },
+//   ],
+// };
+
+