Burtiraven2/session_redis_public
1
0
Fork 0
mirror of https://github.com/camptocamp/odoo-cloud-platform.git synced 2026-06-24 08:47:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

[12.0] use IAM role for service account for S3 storage (#356)

Browse Source 
By dropping the requirement to have `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` envvars set, we can let the more secure IAM role for service account take over the authentication.

Co-authored-by: Marc Fournier <marc.fournier@qoqa.com>
This commit is contained in:
Vincent Renaville
2022-03-31 16:43:22 +02:00
committed by GitHub
co-authored by GitHub Marc Fournier
parent 6f8ae872ff
commit 1f5970f05e
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
attachment_s3/models/ir_attachment.py
+14 -5
View File
@@ -54,14 +54,19 @@ class IrAttachment(models.Model):
region_name = os.environ.get('AWS_REGION') region_name = os.environ.get('AWS_REGION')
access_key = os.environ.get('AWS_ACCESS_KEY_ID') access_key = os.environ.get('AWS_ACCESS_KEY_ID')
secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY') secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
aws_use_irsa = os.environ.get('AWS_USE_IRSA')
bucket_name = bucket_name or os.environ.get('AWS_BUCKETNAME') bucket_name = bucket_name or os.environ.get('AWS_BUCKETNAME')
# replaces {db} by the database name to handle multi-tenancy # replaces {db} by the database name to handle multi-tenancy
bucket_name = bucket_name.format(db=self.env.cr.dbname) bucket_name = bucket_name.format(db=self.env.cr.dbname)
params = { params = {
'aws_access_key_id': access_key,
'aws_secret_access_key': secret_key,
'bucket_name': bucket_name, 'bucket_name': bucket_name,
} }
if access_key:
params['aws_access_key_id'] = access_key
if secret_key:
params['aws_secret_access_key'] = secret_key
if aws_use_irsa:
params['aws_use_irsa'] = aws_use_irsa
if host: if host:
params['endpoint_url'] = host params['endpoint_url'] = host
if region_name: if region_name:
@@ -79,6 +84,7 @@ class IrAttachment(models.Model):
* ``AWS_ACCESS_KEY_ID`` * ``AWS_ACCESS_KEY_ID``
* ``AWS_SECRET_ACCESS_KEY`` * ``AWS_SECRET_ACCESS_KEY``
* ``AWS_BUCKETNAME`` * ``AWS_BUCKETNAME``
* ``AWS_USE_IRSA``
If a name is provided, we'll read this bucket, otherwise, the bucket If a name is provided, we'll read this bucket, otherwise, the bucket
from the environment variable ``AWS_BUCKETNAME`` will be read. from the environment variable ``AWS_BUCKETNAME`` will be read.
@@ -89,14 +95,17 @@ class IrAttachment(models.Model):
# keyword argument 'bucket_name' # keyword argument 'bucket_name'
bucket_name = params.pop("bucket_name") bucket_name = params.pop("bucket_name")
if not ( if not (
params["aws_access_key_id"] and bucket_name and
params["aws_secret_access_key"] and (params["aws_access_key_id"] and
bucket_name params["aws_secret_access_key"] or
params["aws_use_irsa"])
): ):
msg = _('If you want to read from the %s S3 bucket, the following ' msg = _('If you want to read from the %s S3 bucket, the following '
'environment variables must be set:\n' 'environment variables must be set:\n'
'* AWS_ACCESS_KEY_ID\n' '* AWS_ACCESS_KEY_ID\n'
'* AWS_SECRET_ACCESS_KEY\n' '* AWS_SECRET_ACCESS_KEY\n'
'or use irsa for authentification\n'
'* AWS_USE_IRSA\n'
'If you want to write in the %s S3 bucket, this variable ' 'If you want to write in the %s S3 bucket, this variable '
'must be set as well:\n' 'must be set as well:\n'
'* AWS_BUCKETNAME\n' '* AWS_BUCKETNAME\n'
requirements.txt
+1
View File
@@ -10,3 +10,4 @@ keystoneauth1==3.14.0
# error with 5.x (ConstructorError: could not determine a constructor for the tag '!record') # error with 5.x (ConstructorError: could not determine a constructor for the tag '!record')
PyYAML==4.2b4 PyYAML==4.2b4
prometheus_client==0.11.0 prometheus_client==0.11.0
portalocker==1.7.1