Skip to content

Commit 12e28a5

Browse files
cosmic-chichuyhl25
cosmic-chichu
and
yhl25
authored
feat: add assume role for SQS (numaproj#2963)
Signed-off-by: Shrivardhan Rao <shrivardhan92@gmail.com> Co-authored-by: Yashash H L <yashashhl25@gmail.com>
1 parent 01862a4 commit 12e28a5

31 files changed

Lines changed: 3051 additions & 821 deletions

api/json-schema/schema.json

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19479,6 +19479,43 @@
1947919479
},
1948019480
"type": "object"
1948119481
},
19482+
"io.numaproj.numaflow.v1alpha1.AWSAssumeRole": {
19483+
"description": "AWSAssumeRole contains the configuration for AWS STS assume role authentication This can be used with any AWS service (SQS, S3, DynamoDB, etc.)",
19484+
"properties": {
19485+
"durationSeconds": {
19486+
"description": "DurationSeconds is the duration (in seconds) of the role session. Valid values: 900-43200 (15 minutes to 12 hours) Defaults to 3600 (1 hour) if not specified. The actual session duration is constrained by the maximum session duration setting of the IAM role being assumed.",
19487+
"format": "int32",
19488+
"type": "integer"
19489+
},
19490+
"externalID": {
19491+
"description": "ExternalID is a unique identifier that might be required when you assume a role in another account. This is commonly used as an additional security measure for cross-account role access.",
19492+
"type": "string"
19493+
},
19494+
"policy": {
19495+
"description": "Policy is an IAM policy document (JSON string) that you want to use as an inline session policy. This parameter is optional. When specified, the session permissions are the intersection of the IAM role's identity-based policy and the session policies. This allows further restriction of permissions for the specific service operations.",
19496+
"type": "string"
19497+
},
19498+
"policyArns": {
19499+
"description": "PolicyARNs is a list of Amazon Resource Names (ARNs) of IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role. This allows attaching existing managed policies to further restrict session permissions.",
19500+
"items": {
19501+
"type": "string"
19502+
},
19503+
"type": "array"
19504+
},
19505+
"roleArn": {
19506+
"description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume. This is a required field when assume role is enabled. Example: \"arn:aws:iam::123456789012:role/CrossAccount-Service-Role\"",
19507+
"type": "string"
19508+
},
19509+
"sessionName": {
19510+
"description": "SessionName is an identifier for the assumed role session. This appears in AWS CloudTrail logs to help identify the source of API calls. If not specified, a default session name will be generated based on the service context.",
19511+
"type": "string"
19512+
}
19513+
},
19514+
"required": [
19515+
"roleArn"
19516+
],
19517+
"type": "object"
19518+
},
1948219519
"io.numaproj.numaflow.v1alpha1.AbstractPodTemplate": {
1948319520
"description": "AbstractPodTemplate provides a template for pod customization in vertices, daemon deployments and so on.",
1948419521
"properties": {
@@ -22472,6 +22509,10 @@
2247222509
},
2247322510
"io.numaproj.numaflow.v1alpha1.SqsSink": {
2247422511
"properties": {
22512+
"assumeRole": {
22513+
"$ref": "#/definitions/io.numaproj.numaflow.v1alpha1.AWSAssumeRole",
22514+
"description": "AssumeRole contains the configuration for AWS STS assume role. When specified, the SQS client will assume the specified role for authentication."
22515+
},
2247522516
"awsRegion": {
2247622517
"description": "AWSRegion is the AWS Region where the SQS queue is located",
2247722518
"type": "string"
@@ -22495,6 +22536,10 @@
2249522536
"io.numaproj.numaflow.v1alpha1.SqsSource": {
2249622537
"description": "SqsSource represents the configuration of an AWS SQS source",
2249722538
"properties": {
22539+
"assumeRole": {
22540+
"$ref": "#/definitions/io.numaproj.numaflow.v1alpha1.AWSAssumeRole",
22541+
"description": "AssumeRole contains the configuration for AWS STS assume role. When specified, the SQS client will assume the specified role for authentication."
22542+
},
2249822543
"attributeNames": {
2249922544
"description": "AttributeNames is a list of attributes that need to be returned along with each message. Valid values: All | Policy | VisibilityTimeout | MaximumMessageSize | MessageRetentionPeriod | ApproximateNumberOfMessages | ApproximateNumberOfMessagesNotVisible | CreatedTimestamp | LastModifiedTimestamp | QueueArn | ApproximateNumberOfMessagesDelayed | DelaySeconds | ReceiveMessageWaitTimeSeconds | RedrivePolicy | FifoQueue | ContentBasedDeduplication | KmsMasterKeyId | KmsDataKeyReusePeriodSeconds | DeduplicationScope | FifoThroughputLimit | RedriveAllowPolicy | SqsManagedSseEnabled",
2250022545
"items": {

api/openapi-spec/swagger.json

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19483,6 +19483,43 @@
1948319483
}
1948419484
}
1948519485
},
19486+
"io.numaproj.numaflow.v1alpha1.AWSAssumeRole": {
19487+
"description": "AWSAssumeRole contains the configuration for AWS STS assume role authentication This can be used with any AWS service (SQS, S3, DynamoDB, etc.)",
19488+
"type": "object",
19489+
"required": [
19490+
"roleArn"
19491+
],
19492+
"properties": {
19493+
"durationSeconds": {
19494+
"description": "DurationSeconds is the duration (in seconds) of the role session. Valid values: 900-43200 (15 minutes to 12 hours) Defaults to 3600 (1 hour) if not specified. The actual session duration is constrained by the maximum session duration setting of the IAM role being assumed.",
19495+
"type": "integer",
19496+
"format": "int32"
19497+
},
19498+
"externalID": {
19499+
"description": "ExternalID is a unique identifier that might be required when you assume a role in another account. This is commonly used as an additional security measure for cross-account role access.",
19500+
"type": "string"
19501+
},
19502+
"policy": {
19503+
"description": "Policy is an IAM policy document (JSON string) that you want to use as an inline session policy. This parameter is optional. When specified, the session permissions are the intersection of the IAM role's identity-based policy and the session policies. This allows further restriction of permissions for the specific service operations.",
19504+
"type": "string"
19505+
},
19506+
"policyArns": {
19507+
"description": "PolicyARNs is a list of Amazon Resource Names (ARNs) of IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role. This allows attaching existing managed policies to further restrict session permissions.",
19508+
"type": "array",
19509+
"items": {
19510+
"type": "string"
19511+
}
19512+
},
19513+
"roleArn": {
19514+
"description": "RoleARN is the Amazon Resource Name (ARN) of the role to assume. This is a required field when assume role is enabled. Example: \"arn:aws:iam::123456789012:role/CrossAccount-Service-Role\"",
19515+
"type": "string"
19516+
},
19517+
"sessionName": {
19518+
"description": "SessionName is an identifier for the assumed role session. This appears in AWS CloudTrail logs to help identify the source of API calls. If not specified, a default session name will be generated based on the service context.",
19519+
"type": "string"
19520+
}
19521+
}
19522+
},
1948619523
"io.numaproj.numaflow.v1alpha1.AbstractPodTemplate": {
1948719524
"description": "AbstractPodTemplate provides a template for pod customization in vertices, daemon deployments and so on.",
1948819525
"type": "object",
@@ -22464,6 +22501,10 @@
2246422501
"queueOwnerAWSAccountID"
2246522502
],
2246622503
"properties": {
22504+
"assumeRole": {
22505+
"description": "AssumeRole contains the configuration for AWS STS assume role. When specified, the SQS client will assume the specified role for authentication.",
22506+
"$ref": "#/definitions/io.numaproj.numaflow.v1alpha1.AWSAssumeRole"
22507+
},
2246722508
"awsRegion": {
2246822509
"description": "AWSRegion is the AWS Region where the SQS queue is located",
2246922510
"type": "string"
@@ -22487,6 +22528,10 @@
2248722528
"queueOwnerAWSAccountID"
2248822529
],
2248922530
"properties": {
22531+
"assumeRole": {
22532+
"description": "AssumeRole contains the configuration for AWS STS assume role. When specified, the SQS client will assume the specified role for authentication.",
22533+
"$ref": "#/definitions/io.numaproj.numaflow.v1alpha1.AWSAssumeRole"
22534+
},
2249022535
"attributeNames": {
2249122536
"description": "AttributeNames is a list of attributes that need to be returned along with each message. Valid values: All | Policy | VisibilityTimeout | MaximumMessageSize | MessageRetentionPeriod | ApproximateNumberOfMessages | ApproximateNumberOfMessagesNotVisible | CreatedTimestamp | LastModifiedTimestamp | QueueArn | ApproximateNumberOfMessagesDelayed | DelaySeconds | ReceiveMessageWaitTimeSeconds | RedrivePolicy | FifoQueue | ContentBasedDeduplication | KmsMasterKeyId | KmsDataKeyReusePeriodSeconds | DeduplicationScope | FifoThroughputLimit | RedriveAllowPolicy | SqsManagedSseEnabled",
2249222537
"type": "array",

config/base/crds/full/numaflow.numaproj.io_monovertices.yaml

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3934,6 +3934,26 @@ spec:
39343934
type: object
39353935
sqs:
39363936
properties:
3937+
assumeRole:
3938+
properties:
3939+
durationSeconds:
3940+
format: int32
3941+
type: integer
3942+
externalID:
3943+
type: string
3944+
policy:
3945+
type: string
3946+
policyArns:
3947+
items:
3948+
type: string
3949+
type: array
3950+
roleArn:
3951+
type: string
3952+
sessionName:
3953+
type: string
3954+
required:
3955+
- roleArn
3956+
type: object
39373957
awsRegion:
39383958
type: string
39393959
queueName:
@@ -4598,6 +4618,26 @@ spec:
45984618
type: object
45994619
sqs:
46004620
properties:
4621+
assumeRole:
4622+
properties:
4623+
durationSeconds:
4624+
format: int32
4625+
type: integer
4626+
externalID:
4627+
type: string
4628+
policy:
4629+
type: string
4630+
policyArns:
4631+
items:
4632+
type: string
4633+
type: array
4634+
roleArn:
4635+
type: string
4636+
sessionName:
4637+
type: string
4638+
required:
4639+
- roleArn
4640+
type: object
46014641
awsRegion:
46024642
type: string
46034643
queueName:
@@ -5530,6 +5570,26 @@ spec:
55305570
type: object
55315571
sqs:
55325572
properties:
5573+
assumeRole:
5574+
properties:
5575+
durationSeconds:
5576+
format: int32
5577+
type: integer
5578+
externalID:
5579+
type: string
5580+
policy:
5581+
type: string
5582+
policyArns:
5583+
items:
5584+
type: string
5585+
type: array
5586+
roleArn:
5587+
type: string
5588+
sessionName:
5589+
type: string
5590+
required:
5591+
- roleArn
5592+
type: object
55335593
attributeNames:
55345594
items:
55355595
type: string

config/base/crds/full/numaflow.numaproj.io_pipelines.yaml

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8834,6 +8834,26 @@ spec:
88348834
type: object
88358835
sqs:
88368836
properties:
8837+
assumeRole:
8838+
properties:
8839+
durationSeconds:
8840+
format: int32
8841+
type: integer
8842+
externalID:
8843+
type: string
8844+
policy:
8845+
type: string
8846+
policyArns:
8847+
items:
8848+
type: string
8849+
type: array
8850+
roleArn:
8851+
type: string
8852+
sessionName:
8853+
type: string
8854+
required:
8855+
- roleArn
8856+
type: object
88378857
awsRegion:
88388858
type: string
88398859
queueName:
@@ -9498,6 +9518,26 @@ spec:
94989518
type: object
94999519
sqs:
95009520
properties:
9521+
assumeRole:
9522+
properties:
9523+
durationSeconds:
9524+
format: int32
9525+
type: integer
9526+
externalID:
9527+
type: string
9528+
policy:
9529+
type: string
9530+
policyArns:
9531+
items:
9532+
type: string
9533+
type: array
9534+
roleArn:
9535+
type: string
9536+
sessionName:
9537+
type: string
9538+
required:
9539+
- roleArn
9540+
type: object
95019541
awsRegion:
95029542
type: string
95039543
queueName:
@@ -10430,6 +10470,26 @@ spec:
1043010470
type: object
1043110471
sqs:
1043210472
properties:
10473+
assumeRole:
10474+
properties:
10475+
durationSeconds:
10476+
format: int32
10477+
type: integer
10478+
externalID:
10479+
type: string
10480+
policy:
10481+
type: string
10482+
policyArns:
10483+
items:
10484+
type: string
10485+
type: array
10486+
roleArn:
10487+
type: string
10488+
sessionName:
10489+
type: string
10490+
required:
10491+
- roleArn
10492+
type: object
1043310493
attributeNames:
1043410494
items:
1043510495
type: string

config/base/crds/full/numaflow.numaproj.io_servingpipelines.yaml

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8813,6 +8813,26 @@ spec:
88138813
type: object
88148814
sqs:
88158815
properties:
8816+
assumeRole:
8817+
properties:
8818+
durationSeconds:
8819+
format: int32
8820+
type: integer
8821+
externalID:
8822+
type: string
8823+
policy:
8824+
type: string
8825+
policyArns:
8826+
items:
8827+
type: string
8828+
type: array
8829+
roleArn:
8830+
type: string
8831+
sessionName:
8832+
type: string
8833+
required:
8834+
- roleArn
8835+
type: object
88168836
awsRegion:
88178837
type: string
88188838
queueName:
@@ -9477,6 +9497,26 @@ spec:
94779497
type: object
94789498
sqs:
94799499
properties:
9500+
assumeRole:
9501+
properties:
9502+
durationSeconds:
9503+
format: int32
9504+
type: integer
9505+
externalID:
9506+
type: string
9507+
policy:
9508+
type: string
9509+
policyArns:
9510+
items:
9511+
type: string
9512+
type: array
9513+
roleArn:
9514+
type: string
9515+
sessionName:
9516+
type: string
9517+
required:
9518+
- roleArn
9519+
type: object
94809520
awsRegion:
94819521
type: string
94829522
queueName:
@@ -10409,6 +10449,26 @@ spec:
1040910449
type: object
1041010450
sqs:
1041110451
properties:
10452+
assumeRole:
10453+
properties:
10454+
durationSeconds:
10455+
format: int32
10456+
type: integer
10457+
externalID:
10458+
type: string
10459+
policy:
10460+
type: string
10461+
policyArns:
10462+
items:
10463+
type: string
10464+
type: array
10465+
roleArn:
10466+
type: string
10467+
sessionName:
10468+
type: string
10469+
required:
10470+
- roleArn
10471+
type: object
1041210472
attributeNames:
1041310473
items:
1041410474
type: string

0 commit comments

Comments
 (0)