Add support for multitenant temporary credentials to v1 path (#231)

iwysiu · web-flow · commit 47015d1fe190 · 2025-04-15T12:04:56.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,11 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
+## 0.38.0
+
+- Add support for multitenant temporary credentials to v1 path by @iwysiu in [#231](https://github.com/grafana/grafana-aws-sdk/pull/231)
+
 ## 0.37.0
+
 - Fix: clone default transport instead of using it for PDC by @njvrzm in [#229](https://github.com/grafana/grafana-aws-sdk/pull/229)
 - Fix paths for multitenant [#228](https://github.com/grafana/grafana-aws-sdk/pull/228)
 
 ## 0.36.0
+
 - Add dimensions to msk connect and pipe metric namespaces by @rrhodes in [#223](https://github.com/grafana/grafana-aws-sdk/pull/223)
 - Fix: Use DefaultClient in awsauth if given nil HTTPClient by @njvrzm in [#226](https://github.com/grafana/grafana-aws-sdk/pull/226)
 
diff --git a/pkg/awsds/authSettings.go b/pkg/awsds/authSettings.go
@@ -34,9 +34,13 @@ const (
 	// SigV4VerboseLoggingEnvVarKeyName is the string literal for the sigv4 verbose logging environment variable key name
 	SigV4VerboseLoggingEnvVarKeyName = "AWS_SIGV4_VERBOSE_LOGGING"
 
-	defaultAssumeRoleEnabled         = true
-	defaultListMetricsPageLimit      = 500
-	defaultSecureSocksDSProxyEnabled = false
+	// FlagMultiTenantTempCredentials is the flag for whether temporary credentials is running multitenant
+	FlagMultiTenantTempCredentials = "multiTenantTempCredentials"
+
+	defaultAssumeRoleEnabled          = true
+	defaultListMetricsPageLimit       = 500
+	defaultSecureSocksDSProxyEnabled  = false
+	defaultMultiTenantTempCredentials = false
 )
 
 // ReadAuthSettings gets the Grafana auth settings from the context if its available, the environment variables if not
@@ -52,11 +56,12 @@ func ReadAuthSettings(ctx context.Context) *AuthSettings {
 
 func defaultAuthSettings() *AuthSettings {
 	return &AuthSettings{
-		AllowedAuthProviders:      []string{"default", "keys", "credentials"},
-		AssumeRoleEnabled:         defaultAssumeRoleEnabled,
-		SessionDuration:           &stscreds.DefaultDuration,
-		ListMetricsPageLimit:      defaultListMetricsPageLimit,
-		SecureSocksDSProxyEnabled: defaultSecureSocksDSProxyEnabled,
+		AllowedAuthProviders:       []string{"default", "keys", "credentials"},
+		AssumeRoleEnabled:          defaultAssumeRoleEnabled,
+		SessionDuration:            &stscreds.DefaultDuration,
+		ListMetricsPageLimit:       defaultListMetricsPageLimit,
+		MultiTenantTempCredentials: defaultMultiTenantTempCredentials,
+		SecureSocksDSProxyEnabled:  defaultSecureSocksDSProxyEnabled,
 	}
 }
 
@@ -128,6 +133,7 @@ func ReadAuthSettingsFromContext(ctx context.Context) (*AuthSettings, bool) {
 		hasSettings = true
 	}
 
+	settings.MultiTenantTempCredentials = cfg.FeatureToggles().IsEnabled(FlagMultiTenantTempCredentials)
 	return settings, hasSettings
 }
 
diff --git a/pkg/awsds/sessions.go b/pkg/awsds/sessions.go
@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -24,6 +25,12 @@ import (
 	awsV2 "github.com/aws/aws-sdk-go-v2/aws"
 )
 
+const (
+	// awsTempCredsAccessKey and awsTempCredsSecretKey are the files containing the
+	awsTempCredsAccessKey = "/tmp/aws.credentials/access-key-id"
+	awsTempCredsSecretKey = "/tmp/aws.credentials/secret-access-key"
+)
+
 type envelope struct {
 	session    *session.Session
 	expiration time.Time
@@ -220,9 +227,23 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) {
 		cfgs = append(cfgs, &aws.Config{Credentials: newRemoteCredentials(sess)})
 	case AuthTypeGrafanaAssumeRole:
 		backend.Logger.Debug("Authenticating towards AWS with Grafana Assume Role", "region", c.Settings.Region)
-		cfgs = append(cfgs, &aws.Config{
-			Credentials: credentials.NewSharedCredentials(CredentialsPath, ProfileName),
-		})
+		if c.AuthSettings.MultiTenantTempCredentials {
+			accessKey, err := os.ReadFile(awsTempCredsAccessKey)
+			if err != nil {
+				return nil, err
+			}
+			secretKey, err := os.ReadFile(awsTempCredsSecretKey)
+			if err != nil {
+				return nil, err
+			}
+			cfgs = append(cfgs, &aws.Config{
+				Credentials: credentials.NewStaticCredentials(string(accessKey), string(secretKey), ""),
+			})
+		} else {
+			cfgs = append(cfgs, &aws.Config{
+				Credentials: credentials.NewSharedCredentials(CredentialsPath, ProfileName),
+			})
+		}
 	default:
 		return nil, fmt.Errorf("unrecognized authType: %d", c.Settings.AuthType)
 	}
diff --git a/pkg/awsds/types.go b/pkg/awsds/types.go
@@ -19,11 +19,12 @@ type AmazonSessionProvider func(region string, s AWSDatasourceSettings) (*sessio
 
 // AuthSettings stores the AWS settings from Grafana
 type AuthSettings struct {
-	AllowedAuthProviders []string
-	AssumeRoleEnabled    bool
-	SessionDuration      *time.Duration
-	ExternalID           string
-	ListMetricsPageLimit int
+	AllowedAuthProviders       []string
+	AssumeRoleEnabled          bool
+	SessionDuration            *time.Duration
+	ExternalID                 string
+	ListMetricsPageLimit       int
+	MultiTenantTempCredentials bool
 
 	// necessary for a work around until https://github.com/grafana/grafana/issues/39089 is implemented
 	SecureSocksDSProxyEnabled bool
@@ -54,7 +55,7 @@ const (
 	QueryFailedUser
 )
 
-// QueryExecutionError error type can be returned from datasource's Execute or QueryStatus methods 
+// QueryExecutionError error type can be returned from datasource's Execute or QueryStatus methods
 // this will mark the downstream cause in errorResponse.Status
 type QueryExecutionError struct {
 	Err   error
