Add assumerole

Author: piyushroshan

deploy/docker/docker-compose.yml

@@ -193,6 +193,9 @@ services:
       - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
       - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-}
       - AWS_REGION=${AWS_REGION:-}
+      - AWS_ASSUME_ROLE_ARN=${AWS_ASSUME_ROLE_ARN:-}
+      - AWS_EXTERNAL_ID=${AWS_EXTERNAL_ID:-}
+      - AWS_ROLE_SESSION_NAME=${AWS_ROLE_SESSION_NAME:-crapi-chatbot-session}
       - GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS:-}
       - VERTEX_PROJECT=${VERTEX_PROJECT:-}
       - VERTEX_LOCATION=${VERTEX_LOCATION:-}

deploy/helm/templates/chatbot/config.yaml

@@ -41,6 +41,9 @@ data:
     AWS_SECRET_ACCESS_KEY: {{ .Values.awsSecretAccessKey | quote }}
     AWS_SESSION_TOKEN: {{ .Values.awsSessionToken | quote }}
     AWS_REGION: {{ .Values.awsRegion | quote }}
+    AWS_ASSUME_ROLE_ARN: {{ .Values.awsAssumeRoleArn | quote }}
+    AWS_EXTERNAL_ID: {{ .Values.awsExternalId | quote }}
+    AWS_ROLE_SESSION_NAME: {{ .Values.awsRoleSessionName | quote }}
     GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.googleApplicationCredentials | quote }}
     VERTEX_PROJECT: {{ .Values.vertexProject | quote }}
     VERTEX_LOCATION: {{ .Values.vertexLocation | quote }}

deploy/helm/values.yaml

@@ -52,6 +52,10 @@ awsAccessKeyId: ""
 awsSecretAccessKey: ""
 awsSessionToken: ""
 awsRegion: ""
+# AWS IAM Assume Role configuration (optional - use instead of static credentials)
+awsAssumeRoleArn: ""
+awsExternalId: ""
+awsRoleSessionName: "crapi-chatbot-session"
 
 # Google Vertex AI configuration
 googleApplicationCredentials: ""

deploy/k8s/base/chatbot/config.yaml

@@ -40,6 +40,9 @@ data:
   AWS_SECRET_ACCESS_KEY: ""
   AWS_SESSION_TOKEN: ""
   AWS_REGION: ""
+  AWS_ASSUME_ROLE_ARN: ""
+  AWS_EXTERNAL_ID: ""
+  AWS_ROLE_SESSION_NAME: "crapi-chatbot-session"
   GOOGLE_APPLICATION_CREDENTIALS: ""
   VERTEX_PROJECT: ""
   VERTEX_LOCATION: ""

services/chatbot/src/chatbot/aws_credentials.py

@@ -0,0 +1,193 @@
+"""AWS credentials helper with STS assume role support."""
+
+import logging
+import os
+import threading
+import time
+from typing import Optional
+
+import boto3
+from botocore.credentials import RefreshableCredentials
+from botocore.session import get_session
+
+from .config import Config
+
+logger = logging.getLogger(__name__)
+
+# Cache for assumed role credentials
+_credentials_cache = {
+    "credentials": None,
+    "expiration": 0,
+    "lock": threading.Lock(),
+}
+
+# Refresh credentials 5 minutes before expiration
+CREDENTIALS_REFRESH_BUFFER_SECONDS = 300
+
+
+def _get_base_session():
+    """Get a boto3 session with base credentials (from env vars or instance profile)."""
+    return boto3.Session(
+        aws_access_key_id=os.getenv("AWS_ACCESS_KEY_ID"),
+        aws_secret_access_key=os.getenv("AWS_SECRET_ACCESS_KEY"),
+        aws_session_token=os.getenv("AWS_SESSION_TOKEN"),
+        region_name=os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION"),
+    )
+
+
+def _assume_role() -> dict:
+    """Assume the configured IAM role and return temporary credentials."""
+    role_arn = Config.AWS_ASSUME_ROLE_ARN
+    external_id = Config.AWS_EXTERNAL_ID
+    session_name = Config.AWS_ROLE_SESSION_NAME
+
+    logger.info("Assuming IAM role: %s", role_arn)
+
+    base_session = _get_base_session()
+    sts_client = base_session.client("sts")
+
+    assume_role_kwargs = {
+        "RoleArn": role_arn,
+        "RoleSessionName": session_name,
+        "DurationSeconds": 3600,  # 1 hour
+    }
+
+    if external_id:
+        assume_role_kwargs["ExternalId"] = external_id
+
+    response = sts_client.assume_role(**assume_role_kwargs)
+    credentials = response["Credentials"]
+
+    logger.info(
+        "Successfully assumed role %s, expires at %s",
+        role_arn,
+        credentials["Expiration"],
+    )
+
+    return {
+        "access_key": credentials["AccessKeyId"],
+        "secret_key": credentials["SecretAccessKey"],
+        "token": credentials["SessionToken"],
+        "expiry_time": credentials["Expiration"].timestamp(),
+    }
+
+
+def _get_cached_credentials() -> Optional[dict]:
+    """Get cached credentials if they're still valid."""
+    with _credentials_cache["lock"]:
+        if _credentials_cache["credentials"] is None:
+            return None
+
+        # Check if credentials are about to expire
+        if time.time() >= _credentials_cache["expiration"] - CREDENTIALS_REFRESH_BUFFER_SECONDS:
+            return None
+
+        return _credentials_cache["credentials"]
+
+
+def _set_cached_credentials(credentials: dict) -> None:
+    """Cache the credentials."""
+    with _credentials_cache["lock"]:
+        _credentials_cache["credentials"] = credentials
+        _credentials_cache["expiration"] = credentials["expiry_time"]
+
+
+def get_aws_credentials() -> Optional[dict]:
+    """
+    Get AWS credentials, using assume role if configured.
+
+    Returns:
+        dict with 'access_key', 'secret_key', 'token' (optional), and 'region',
+        or None if no credentials are configured/needed.
+    """
+    region = os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION")
+
+    # If assume role is configured, use it
+    if Config.AWS_ASSUME_ROLE_ARN:
+        # Try to use cached credentials
+        cached = _get_cached_credentials()
+        if cached:
+            return {
+                "access_key": cached["access_key"],
+                "secret_key": cached["secret_key"],
+                "token": cached["token"],
+                "region": region,
+            }
+
+        # Assume role and cache credentials
+        try:
+            credentials = _assume_role()
+            _set_cached_credentials(credentials)
+            return {
+                "access_key": credentials["access_key"],
+                "secret_key": credentials["secret_key"],
+                "token": credentials["token"],
+                "region": region,
+            }
+        except Exception as e:
+            logger.error("Failed to assume role %s: %s", Config.AWS_ASSUME_ROLE_ARN, e)
+            raise
+
+    # If static credentials are provided via environment variables
+    access_key = os.getenv("AWS_ACCESS_KEY_ID")
+    secret_key = os.getenv("AWS_SECRET_ACCESS_KEY")
+    session_token = os.getenv("AWS_SESSION_TOKEN")
+
+    if access_key and secret_key:
+        result = {
+            "access_key": access_key,
+            "secret_key": secret_key,
+            "region": region,
+        }
+        if session_token:
+            result["token"] = session_token
+        return result
+
+    # Return None to use default credential chain (instance profile, etc.)
+    return None
+
+
+def get_boto3_session() -> boto3.Session:
+    """
+    Get a boto3 session with the appropriate credentials.
+
+    This handles assume role if configured, otherwise uses the default credential chain.
+    """
+    credentials = get_aws_credentials()
+
+    if credentials:
+        return boto3.Session(
+            aws_access_key_id=credentials["access_key"],
+            aws_secret_access_key=credentials["secret_key"],
+            aws_session_token=credentials.get("token"),
+            region_name=credentials.get("region"),
+        )
+
+    # Use default credential chain
+    return boto3.Session(
+        region_name=os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION")
+    )
+
+
+def get_bedrock_credentials_kwargs() -> dict:
+    """
+    Get kwargs to pass to ChatBedrock or BedrockEmbeddings for credentials.
+
+    Returns a dict that can be unpacked into the constructor.
+    """
+    credentials = get_aws_credentials()
+    region = os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION")
+
+    kwargs = {}
+
+    if region:
+        kwargs["region_name"] = region
+
+    if credentials:
+        kwargs["credentials_profile_name"] = None  # Disable profile lookup
+        kwargs["aws_access_key_id"] = credentials["access_key"]
+        kwargs["aws_secret_access_key"] = credentials["secret_key"]
+        if credentials.get("token"):
+            kwargs["aws_session_token"] = credentials["token"]
+
+    return kwargs

services/chatbot/src/chatbot/config.py

@@ -27,6 +27,9 @@ class Config:
     AZURE_OPENAI_CHAT_DEPLOYMENT = os.getenv("AZURE_OPENAI_CHAT_DEPLOYMENT")
     AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT = os.getenv("AZURE_OPENAI_EMBEDDINGS_DEPLOYMENT")
     AWS_BEARER_TOKEN_BEDROCK = os.getenv("AWS_BEARER_TOKEN_BEDROCK")
+    AWS_ASSUME_ROLE_ARN = os.getenv("AWS_ASSUME_ROLE_ARN", "")
+    AWS_EXTERNAL_ID = os.getenv("AWS_EXTERNAL_ID", "")
+    AWS_ROLE_SESSION_NAME = os.getenv("AWS_ROLE_SESSION_NAME", "crapi-chatbot-session")
     VERTEX_PROJECT = os.getenv("VERTEX_PROJECT", "")
     VERTEX_LOCATION = os.getenv("VERTEX_LOCATION", "")
     MAX_CONTENT_LENGTH = int(os.getenv("MAX_CONTENT_LENGTH", 50000))

services/chatbot/src/chatbot/langgraph_agent.py

@@ -12,6 +12,7 @@
 from langchain_openai import AzureChatOpenAI, ChatOpenAI
 
 from .agent_utils import truncate_tool_messages
+from .aws_credentials import get_bedrock_credentials_kwargs
 from .config import Config
 from .extensions import postgresdb
 from .mcp_client import get_mcp_client
@@ -57,7 +58,8 @@ def _build_llm(api_key, model_name):
             kwargs["api_key"] = Config.AZURE_OPENAI_API_KEY
         return AzureChatOpenAI(**kwargs)
     if provider == "bedrock":
-        return ChatBedrock(model_id=model_name)
+        bedrock_kwargs = get_bedrock_credentials_kwargs()
+        return ChatBedrock(model_id=model_name, **bedrock_kwargs)
     if provider == "vertex":
         return ChatVertexAI(
             model_name=model_name,

services/chatbot/src/chatbot/retriever_utils.py

@@ -11,6 +11,7 @@
 from langchain_mistralai import MistralAIEmbeddings
 from langchain_openai import AzureOpenAIEmbeddings, OpenAIEmbeddings
 
+from .aws_credentials import get_bedrock_credentials_kwargs
 from .config import Config
 
 logger = logging.getLogger(__name__)
@@ -103,7 +104,8 @@ def get_embedding_function(api_key, provider: str, llm_model: str | None):
         if not model_id:
             logger.warning("Bedrock embedding model not configured.")
             return _zero_embeddings()
-        return BedrockEmbeddings(model_id=model_id)
+        bedrock_kwargs = get_bedrock_credentials_kwargs()
+        return BedrockEmbeddings(model_id=model_id, **bedrock_kwargs)
     if embeddings_provider == "vertex":
         vertex_model = (
             Config.EMBEDDINGS_MODEL