search

opensearch-project / sql-odbc

OpenSearchODBC is a read-only ODBC driver for Windows and Mac for connecting to OpenSearch SQL support.
Apache License 2.0
7 stars 18 forks source link

[FEATURE] Support EC2 Instance Authentication #35

Open bulebuk opened 1 year ago

bulebuk commented 1 year ago

I would like to use the ODBC driver on Windows EC2 instances that have an instance profile and IAM role with permissions for OpenSearch. This would eliminate the need to configure or store credentials within the EC2 instance. Unfortunately, this ODBC driver has hard coded the use of the profile credential provider when selecting IAM authentication.

The ODBC driver should switch from using Aws::Auth::ProfileConfigFileAWSCredentialsProvider to instead using Aws::Auth::DefaultAWSCredentialsProviderChain which would use EnvironmentAWSCredentialsProvider, ProfileConfigFileAWSCredentialsProvider, InstanceProfileCredentialsProvider in that order. This would provide functionality with parity to the JDBC driver and most tooling that uses the AWS SDK.

Yury-Fridlyand commented 1 year ago

I tried to do that and there are my findings so far. This code in OpenSearchCommunication::IssueRequest

std::shared_ptr< Aws::Auth::DefaultAWSCredentialsProviderChain 
    credential_provider = Aws::MakeShared<
        Aws::Auth::DefaultAWSCredentialsProviderChain >(
        ALLOCATION_TAG.c_str());

instead of https://github.com/opensearch-project/sql-odbc/blob/85678a0ace4aa5bc97074425b1d67c3748aa51c6/src/sqlodbc/opensearch_communication.cpp#L431-L434 doesn't work, because

  1. DefaultAWSCredentialsProviderChain uses only default profile
  2. EnvironmentAWSCredentialsProvider in that chain ignores env variables set (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) - tested on Windows

Possible fixes for 1:

  1. Make new class which inherits DefaultAWSCredentialsProviderChain and allows to define profile name as an argument
  2. Try to set profile name as an env var: ref