Open LucaCinquini opened 1 year ago
During a group meeting, it was decided that all clients should first obtain a JWT token from the Cognito IdP, and then pass that token to any service that requires authentication/authorization.
Possible ways to obtain a JWT token can be found here: https://github.com/unity-sds/unity-cs/wiki/Getting-Cognito-JWT-Tokens-in-Command-Line
For example, using the CURL client, a JWT token can be obtained as follows:
curl -X POST --data @"$PAYLOAD" -H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' -H 'Content-Type: application/x-amz-json-1.1' https://cognito-idp.us-west-2.amazonaws.com/|jq
where the $PAYLOAD is a JSON file that contains te user credentials and the venue-specific client id:
cat $PAYLOAD:
{
"AuthParameters" : {
"USERNAME" : "
The L1A and L1B CWL workflows have been modified to pass the JWT token to the DAPA services for download and upload of data - and the hard-wired user credentials (retrieved from SSM) have been removed.
The updated workflows have been tested successfully on MCP-Test:
cwl-runner ssips_L1a_workflow.cwl ssips_L1a_workflow_mcp_test.yml cwl-runner ssips_L1b_workflow.cwl ssips_L1b_workflow_mcp_test.yml
All work in branch "jwt_token".
Next: o The WPS-T API needs to be updated to pass an additional input parameter "jwt_token" o The Docker container that executes the "cwl-runner" command does NOT need to have the "CLIENT_ID" env variable any more
Let's discuss making the JWT_Token available without making it a parameter of the WPS-T/CWL
Checked for duplicates No duplicates exist.
Alternatives considered Have system-wide credentials to access the U-DS services. This is what happens now using Luca's credentials.
Describe the feature request Currently, the stage-in and stage-out steps of the L1A and L1B jobs use Luca's specific credentials (stored in the venue SSM store) to access the DAPA services. The project or user specific credentials should be used instead.