S3UTILS-222: run fix script inside vault container with aws-sdk v2

Switch from @aws-sdk/client-iam v3 to aws-sdk v2 so the fix script can
run inside the vault container of older S3C versions (pre-9.5.2) where
only v2 is available. Update README workflow to copy and execute the fix
script inside the vault container instead of running it externally.

Author: nicolas2bert

package.json

@@ -26,7 +26,6 @@
   },
   "homepage": "https://github.com/scality/s3utils#readme",
   "dependencies": {
-    "@aws-sdk/client-iam": "^3.962.0",
     "@aws-sdk/client-s3": "^3.873.0",
     "@aws-sdk/node-http-handler": "^3.374.0",
     "@scality/cloudserverclient": "^1.0.4",
@@ -55,6 +54,8 @@
     "string-width": "4.2.3"
   },
   "devDependencies": {
+    "@aws-sdk/client-iam": "^3.962.0",
+    "aws-sdk": "^2.1692.0",
     "@scality/eslint-config-scality": "scality/Guidelines#8.3.0",
     "@sinonjs/fake-timers": "^14.0.0",
     "eslint": "^9.14.0",

replicationAudit/README.md

@@ -1,12 +1,15 @@
 # TL;DR Complete Workflow Example
 
-Here's a complete example running the two scripts and audit the IAM policies used by CRR:
+Here's a complete example running the two scripts and audit the IAM policies used by CRR.
+
+Use the fix-missing-replication-permissions.js script (step 7) to correct any missing permissions found by the check script. If the fix script fails with "missing ownerDisplayName", re-run check-replication-permissions.js — this field was added in s3utils 1.17.5.
 
 From your local machine: copy scripts to the supervisor
 
 ```bash
 scp replicationAudit/list-buckets-with-replication.sh root@<supervisor-ip>:/root/
 scp replicationAudit/check-replication-permissions.js root@<supervisor-ip>:/root/
+scp replicationAudit/fix-missing-replication-permissions.js root@<supervisor-ip>:/root/
 ```
 
 Connect to the supervisor
@@ -26,6 +29,8 @@ ansible -i env/$ENV_DIR/inventory runners_s3[0] -m copy \
     -a 'src=/root/list-buckets-with-replication.sh dest=/root/'
 ansible -i env/$ENV_DIR/inventory runners_s3[0] -m copy \
     -a 'src=/root/check-replication-permissions.js dest={{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs'
+ansible -i env/$ENV_DIR/inventory runners_s3[0] -m copy \
+    -a 'src=/root/fix-missing-replication-permissions.js dest={{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs'
 
 # Step 2: Run list-buckets-with-replication.sh
 ansible -i env/$ENV_DIR/inventory runners_s3[0] -m shell \
@@ -50,19 +55,34 @@ ansible -i env/$ENV_DIR/inventory runners_s3[0] -m shell \
     -a 'cat {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/missing.json' \
     | grep -v CHANGED | tee /root/replicationAudit_missing.json
 
-# Step 6: Clean up remote files
+# Step 6: Fix missing permissions
+# Copy admin credentials and missing.json to vault container and run inside it
+ansible -i env/$ENV_DIR/inventory runners_s3[0] -m copy \
+    -a "src=/srv/scality/s3/s3-offline/federation/env/$ENV_DIR/vault/admin-clientprofile/admin1.json dest={{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs"
+
+ansible -i env/$ENV_DIR/inventory runners_s3[0] -m copy \
+    -a 'src=/root/replicationAudit_missing.json dest={{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/missing.json'
+
+ansible -i env/$ENV_DIR/inventory runners_s3[0] -m shell \
+    -a 'ctrctl exec scality-vault{{ container_name_suffix | default("")}} env NODE_PATH=/home/scality/vault/node_modules node /logs/fix-missing-replication-permissions.js \
+        /logs/missing.json localhost /logs/admin1.json /logs/replication-fix-results.json'
+
+# Retrieve fix results
+ansible -i env/$ENV_DIR/inventory runners_s3[0] -m shell \
+    -a 'cat {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/replication-fix-results.json' \
+    | grep -v CHANGED | tee /root/replicationAudit_fix_results.json
+
+# Step 7: Re-run check to verify fixes (repeat steps 3-5)
+
+# Step 8: Clean up remote files
 ansible -i env/$ENV_DIR/inventory runners_s3[0] -m shell \
     -a 'rm -f {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/missing.json \
        {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/check-replication-permissions.js \
+       {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/fix-missing-replication-permissions.js \
        {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/buckets-with-replication.json \
+       {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/replication-fix-results.json \
+       {{ env_host_logs}}/scality-vault{{ container_name_suffix | default("")}}/logs/admin1.json \
        /root/list-buckets-with-replication.sh'
-
-# Step 7 (optional): Fix missing permissions
-# Run from your local machine (requires vaultclient and @aws-sdk/client-iam)
-node replicationAudit/fix-missing-replication-permissions.js \
-    /root/replicationAudit_missing.json <supervisor-ip> admin1.json
-
-# Step 8: Re-run check to verify fixes (repeat steps 3-5)
 ```
 
 # Scripts Documentation
@@ -497,8 +517,7 @@ if the policy already exists, its document is guaranteed to be identical.
   ```
   /srv/scality/s3/s3-offline/federation/env/<ENV_DIR>/vault/admin-clientprofile/admin1.json
   ```
-- Network access to Vault admin/IAM API (port 8600) from the machine running the script
-- `vaultclient` and `@aws-sdk/client-iam` installed (both in s3utils dependencies)
+- The script runs inside the vault container (`scality-vault`), which has `vaultclient` and `aws-sdk` pre-installed
 
 ### Usage
 
@@ -509,7 +528,7 @@ node fix-missing-replication-permissions.js <input-file> <vault-host> <admin-con
 | Argument | Default | Description |
 |----------|---------|-------------|
 | `input-file` | (required) | Path to missing.json from check script |
-| `vault-host` | (required) | Vault admin host (e.g., 13.50.166.21) |
+| `vault-host` | (required) | Vault admin host (use `localhost` when running inside the vault container) |
 | `admin-config` | (required) | Path to admin credentials JSON |
 | `output-file` | replication-fix-results.json | Output file path |
 | `--iam-port <port>` | 8600 | Vault admin and IAM API port |

replicationAudit/fix-missing-replication-permissions.js

@@ -19,21 +19,20 @@
  *
  * Usage: node fix-missing-replication-permissions.js <input-file> <vault-host> <admin-config> [output-file] [--iam-port <port>] [--https] [--dry-run]
  *
- * Requires: vaultclient, @aws-sdk/client-iam (both in s3utils dependencies)
+ * Requires: vaultclient, aws-sdk (both available in vault container)
+ *
+ * Note: This script uses aws-sdk v2 (not @aws-sdk/client-iam v3) because it
+ * is meant to be copied into the vault container of older S3C versions
+ * (before S3C 9.5.2 / Vault 7.84.0) where aws-sdk v2 is available but
+ * @aws-sdk/client-iam v3 is not.
  */
 
 const fs = require('fs');
 const http = require('http');
 const https = require('https');
 const { parseArgs } = require('util');
 const { Client: VaultClient } = require('vaultclient');
-const {
-    IAMClient,
-    CreatePolicyCommand,
-    AttachRolePolicyCommand,
-    DeleteAccessKeyCommand,
-} = require('@aws-sdk/client-iam');
-const { NodeHttpHandler } = require('@aws-sdk/node-http-handler');
+const AWS = require('aws-sdk');
 
 // ===========================================================================
 // Constants
@@ -121,19 +120,17 @@ function generateAccountAccessKeyAsync(client, accountName, options) {
 /** Create an IAM client for a given account */
 function createIAMClient(config, accessKeyId, secretKey) {
     const protocol = config.useHttps ? 'https' : 'http';
-    return new IAMClient({
-        region: 'us-east-1',
+    return new AWS.IAM({
         endpoint: `${protocol}://${config.vaultHost}:${config.iamPort}`,
-        credentials: { accessKeyId, secretAccessKey: secretKey },
-        requestHandler: new NodeHttpHandler({
-            httpAgent: new http.Agent({ keepAlive: true }),
-            // TBD: rejectUnauthorized: false disables certificate validation.
-            // Consider accepting a CA cert path via CLI option instead.
-            httpsAgent: new https.Agent({
-                keepAlive: true,
-                rejectUnauthorized: false,
-            }),
-        }),
+        region: 'us-east-1',
+        accessKeyId,
+        secretAccessKey: secretKey,
+        sslEnabled: config.useHttps,
+        httpOptions: {
+            agent: config.useHttps
+                ? new https.Agent({ keepAlive: true, rejectUnauthorized: false })
+                : new http.Agent({ keepAlive: true }),
+        },
     });
 }
 
@@ -271,16 +268,15 @@ async function main() {
             // a no-op if the policy is already attached to the role.
             let policyArn;
             try {
-                const resp = await iamClient.send(new CreatePolicyCommand({
+                const resp = await iamClient.createPolicy({
                     PolicyName: policyName,
                     PolicyDocument: JSON.stringify(policyDocument),
-                }));
+                }).promise();
                 policyArn = resp.Policy.Arn;
                 outcome.metadata.counts.policiesCreated++;
                 log(`  Created policy "${policyName}"`);
             } catch (err) {
-                if (err.name === 'EntityAlreadyExistsException'
-                    || err.Code === 'EntityAlreadyExists') {
+                if (err.code === 'EntityAlreadyExists') {
                     policyArn = `arn:aws:iam::${accountId}:policy/${policyName}`;
                     log(`  Policy "${policyName}" already exists, skipping`);
                 } else {
@@ -290,10 +286,10 @@ async function main() {
 
             fix.policyArn = policyArn;
 
-            await iamClient.send(new AttachRolePolicyCommand({
+            await iamClient.attachRolePolicy({
                 RoleName: roleName,
                 PolicyArn: policyArn,
-            }));
+            }).promise();
             outcome.metadata.counts.policiesAttached++;
             log(`  Attached policy to role "${roleName}"`);
 
@@ -320,9 +316,9 @@ async function main() {
     // Cleanup: delete all temporary keys via IAM DeleteAccessKey
     for (const [accountId, { accountName, accessKeyId, iamClient }] of accountCache) {
         try {
-            await iamClient.send(new DeleteAccessKeyCommand({
+            await iamClient.deleteAccessKey({
                 AccessKeyId: accessKeyId,
-            }));
+            }).promise();
             outcome.metadata.counts.keysDeleted++;
             log(`Deleted temp key for account "${accountName}" (${accountId})`);
         } catch (err) {

yarn.lock

@@ -3554,6 +3554,22 @@ aws-sdk@^2.1691.0:
     uuid "8.0.0"
     xml2js "0.6.2"
 
+aws-sdk@^2.1692.0:
+  version "2.1693.0"
+  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1693.0.tgz#fda38671af3dc5fa8117e9aa09cf6ce37e34010e"
+  integrity sha512-cJmb8xEnVLT+R6fBS5sn/EFJiX7tUnDaPtOPZ1vFbOJtd0fnZn/Ky2XGgsvvoeliWeH7mL3TWSX5zXXGSQV6gQ==
+  dependencies:
+    buffer "4.9.2"
+    events "1.1.1"
+    ieee754 "1.1.13"
+    jmespath "0.16.0"
+    querystring "0.2.0"
+    sax "1.2.1"
+    url "0.10.3"
+    util "^0.12.4"
+    uuid "8.0.0"
+    xml2js "0.6.2"
+
 b4a@^1.6.4:
   version "1.7.3"
   resolved "https://registry.yarnpkg.com/b4a/-/b4a-1.7.3.tgz#24cf7ccda28f5465b66aec2bac69e32809bf112f"