kubeflow
/
pipelines
mirror of https://github.com/kubeflow/pipelines.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
pipelines/frontend/server/aws-helper.ts

130 lines
3.7 KiB
TypeScript
Raw Permalink Blame History

// Copyright 2019 The Kubeflow Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
import fetch from 'node-fetch';
/** AWSMetadataCredentials describes the credentials provided by aws metadata store. */
export interface AWSMetadataCredentials {
Code: string;
LastUpdated: string;
Type: string;
AccessKeyId: string;
SecretAccessKey: string;
Token: string;
Expiration: string;
}
/** url for aws metadata store. */
const metadataUrl = 'http://169.254.169.254/latest/meta-data';
/**
* Get the AWS IAM instance profile.
*/
async function getIAMInstanceProfile(): Promise<string | undefined> {
try {
const resp = await fetch(`${metadataUrl}/iam/security-credentials/`);
const profiles = (await resp.text()).split('\n');
if (profiles.length > 0) {
return profiles[0].trim(); // return first profile
}
return;
} catch (error) {
console.error(
`Unable to fetch credentials from AWS metadata store (${metadataUrl}/iam/security-credentials/): ${error}`,
);
return;
}
}
/**
* Check if the provided string is an S3 endpoint (can be any region).
*
* @param endpoint minio endpoint to check.
*/
export function isAWSS3Endpoint(endpoint: string = ''): boolean {
return !!endpoint.match(/s3.{0,}\.amazonaws\.com\.?.{0,}/i);
}
/**
* Class to handle the session credentials for AWS ec2 instance profile.
*/
class AWSInstanceProfileCredentials {
_iamProfile?: string;
_credentials?: AWSMetadataCredentials;
_expiration: number = 0;
/** reset all caches */
reset() {
this._iamProfile = undefined;
this._credentials = undefined;
this._expiration = 0;
return this;
}
/**
* EC2 Instance profile
*/
async profile() {
if (!this._iamProfile) {
try {
this._iamProfile = await getIAMInstanceProfile();
} catch (err) {
console.error(err);
}
}
return this._iamProfile;
}
/**
* Return true only if there is a metadata store and instance profile.
*/
async ok() {
try {
const profile = await this.profile();
return profile && profile.length > 0;
} catch (_) {
return false;
}
}
async _fetchCredentials(): Promise<AWSMetadataCredentials | undefined> {
try {
const profile = await this.profile();
const resp = await fetch(`${metadataUrl}/iam/security-credentials/${profile}`);
const credentials = await resp.json();
return credentials;
} catch (error) {
console.error(`Unable to fetch credentials from AWS metadata store: ${error}`);
return;
}
}
/**
* Get the AWS metadata store session credentials.
*/
async getCredentials(): Promise<AWSMetadataCredentials | undefined> {
// query for credentials if going to expire or no credentials yet
if (Date.now() + 10 >= this._expiration || !this._credentials) {
this._credentials = await this._fetchCredentials();
if (this._credentials && this._credentials.Expiration) {
this._expiration = new Date(this._credentials.Expiration).getTime();
} else {
this._expiration = -1; // always retry
}
}
return this._credentials;
}
}
export const awsInstanceProfileCredentials = new AWSInstanceProfileCredentials();
Reference in New Issue View Git Blame Copy Permalink