Feature/issue 158 - Use Lambda role for S3 connection (#159)

* remove edl ssm parameters from s3 resource and policies * update changelog * restore some ssm policies for connections module * remove EDL ssm parameters from main.tf --------- Co-authored-by: Frank Greguska <[email protected]>
podaac · Apr 18, 2024 · 22a669b · 22a669b
1 parent f3d2d3c
commit 22a669b
Show file tree

Hide file tree

Showing 6 changed files with 5 additions and 74 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Deprecated 
 ### Removed
 ### Fixed
+    - Issue 158 - Use Lambda role instead of EDL for s3 connection
     - Issue 104 - Prevent nodes from being loaded into the reach table
 ### Security
 

diff --git a/hydrocron/utils/connection.py b/hydrocron/utils/connection.py
@@ -3,8 +3,6 @@
 """
 
 # Standard imports
-import base64
-import json
 import os
 from types import ModuleType
 import sys
@@ -13,10 +11,6 @@
 import boto3
 from boto3.resources.base import ServiceResource
 import botocore
-import requests
-
-# Local imports
-from hydrocron.utils import constants
 
 
 class Connection(ModuleType):
@@ -68,57 +62,13 @@ def s3_resource(self) -> ServiceResource:
         """Return S3 session resource."""
 
         if not self._s3_resource:
-            creds = self.retrieve_credentials()
-            s3_session = boto3.session.Session(
-                aws_access_key_id=creds['accessKeyId'],
-                aws_secret_access_key=creds['secretAccessKey'],
-                aws_session_token=creds['sessionToken'],
-                region_name='us-west-2')
+
+            s3_session = boto3.session.Session()
 
             self._s3_resource = s3_session.resource('s3')
 
         return self._s3_resource
 
-    @staticmethod
-    def retrieve_credentials():
-        """Makes the Oauth calls to authenticate with EDS and return a set of s3
-        same-region, read-only credntials.
-        """
-
-        login_resp = requests.get(
-            constants.S3_CREDS_ENDPOINT,
-            allow_redirects=False,
-            timeout=5
-        )
-        login_resp.raise_for_status()
-
-        auth = f"{os.environ['EARTHDATA_USERNAME']}:{os.environ['EARTHDATA_PASSWORD']}"
-        encoded_auth = base64.b64encode(auth.encode('ascii'))
-
-        auth_redirect = requests.post(
-            login_resp.headers['location'],
-            data={"credentials": encoded_auth},
-            headers={"Origin": constants.S3_CREDS_ENDPOINT},
-            allow_redirects=False,
-            timeout=5
-        )
-        auth_redirect.raise_for_status()
-
-        final = requests.get(
-            auth_redirect.headers['location'],
-            allow_redirects=False,
-            timeout=5
-        )
-
-        results = requests.get(
-            constants.S3_CREDS_ENDPOINT,
-            cookies={'accessToken': final.cookies['accessToken']},
-            timeout=5
-        )
-        results.raise_for_status()
-
-        return json.loads(results.content)
-
 
 dynamodb_resource: ServiceResource
 s3_resource: ServiceResource

diff --git a/hydrocron/utils/constants.py b/hydrocron/utils/constants.py
@@ -63,8 +63,6 @@
 FIELDNAME_P_LAT = 'p_lat'
 FIELDNAME_SWORD_VERSION = 'sword_version'
 
-S3_CREDS_ENDPOINT = "https://archive.swot.podaac.earthdata.nasa.gov/s3credentials"
-
 REACH_DATA_COLUMNS = [
     'wse', 'wse_u', 'wse_r_u', 'wse_c', 'wse_c_u',
     'slope', 'slope_u', 'slope_r_u', 'slope2', 'slope2_u', 'slope2_r_u',

diff --git a/terraform/hydrocron-iam.tf b/terraform/hydrocron-iam.tf
@@ -55,7 +55,6 @@ data "aws_iam_policy_document" "lambda-invoke-policy" {
       aws_lambda_function.hydrocron_lambda_load_granule.arn
       ]
   }
-
 }
 data "aws_iam_policy_document" "ssm-read-policy" {
 
@@ -79,7 +78,6 @@ data "aws_iam_policy_document" "ssm-read-policy" {
   }
 
 }
-
 data "aws_iam_policy_document" "s3-read-policy" {
   statement {
     effect  = "Allow"
@@ -239,7 +237,7 @@ resource "aws_iam_role" "hydrocron-lambda-load-data-role" {
   inline_policy {
     policy = data.aws_iam_policy_document.lambda_log_to_cloudwatch.json
   }
-  inline_policy {
+    inline_policy {
     name   = "HydrocronSSMRead"
     policy = data.aws_iam_policy_document.ssm-read-policy.json
   }
@@ -295,7 +293,7 @@ resource "aws_iam_role" "hydrocron-lambda-cnm-role" {
   inline_policy {
     policy = data.aws_iam_policy_document.lambda_log_to_cloudwatch.json
   }
-  inline_policy {
+    inline_policy {
     name   = "HydrocronSSMRead"
     policy = data.aws_iam_policy_document.ssm-read-policy.json
   }

diff --git a/terraform/hydrocron-lambda.tf b/terraform/hydrocron-lambda.tf
@@ -99,8 +99,6 @@ resource "aws_lambda_function" "hydrocron_lambda_load_data" {
   tags = var.default_tags
   environment {
     variables = {
-      EARTHDATA_USERNAME = data.aws_ssm_parameter.edl_username.value
-      EARTHDATA_PASSWORD = data.aws_ssm_parameter.edl_password.value
       GRANULE_LAMBDA_FUNCTION_NAME = aws_lambda_function.hydrocron_lambda_load_granule.function_name
     }
   }
@@ -122,12 +120,6 @@ resource "aws_lambda_function" "hydrocron_lambda_load_granule" {
     security_group_ids = data.aws_security_groups.vpc_default_sg.ids
   }
   tags = var.default_tags
-  environment {
-    variables = {
-      EARTHDATA_USERNAME = data.aws_ssm_parameter.edl_username.value
-      EARTHDATA_PASSWORD = data.aws_ssm_parameter.edl_password.value
-    }
-  }
 }
 
 resource "aws_lambda_function" "hydrocron_lambda_cnm" {

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -46,14 +46,6 @@ data "aws_subnets" "private_application_subnets" {
   }
 }
 
-data "aws_ssm_parameter" "edl_username" {
-  name = "urs_podaaccloud_user"
-}
-data "aws_ssm_parameter" "edl_password" {
-  name = "urs_podaaccloud_pass"
-  with_decryption = true
-}
-
 locals {
   environment = var.stage
   account_id  = data.aws_caller_identity.current.account_id