API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 25th, 2018
339
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 12.95 KB | None | 0 0
raw download clone embed print report
  1. import boto3
  2. import json
  3. import logging
  4. import os
  5. import pg
  6. import pgdb
  7.  
  8. logger = logging.getLogger()
  9. logger.setLevel(logging.INFO)
  10.  
  11.  
  12. def lambda_handler(event, context):
  13.     """Secrets Manager RDS PostgreSQL Handler
  14.  
  15.    This handler uses the single-user rotation scheme to rotate an RDS PostgreSQL user credential. This rotation
  16.    scheme logs into the database as the user and rotates the user's own password, immediately invalidating the
  17.    user's previous password.
  18.  
  19.    The Secret SecretString is expected to be a JSON string with the following format:
  20.    {
  21.        'engine': <required: must be set to 'postgres'>,
  22.        'host': <required: instance host name>,
  23.        'username': <required: username>,
  24.        'password': <required: password>,
  25.        'dbname': <optional: database name, default to 'postgres'>,
  26.        'port': <optional: if not specified, default port 5432 will be used>
  27.    }
  28.  
  29.    Args:
  30.        event (dict): Lambda dictionary of event parameters. These keys must include the following:
  31.            - SecretId: The secret ARN or identifier
  32.            - ClientRequestToken: The ClientRequestToken of the secret version
  33.            - Step: The rotation step (one of createSecret, setSecret, testSecret, or finishSecret)
  34.  
  35.        context (LambdaContext): The Lambda runtime information
  36.  
  37.    Raises:
  38.        ResourceNotFoundException: If the secret with the specified arn and stage does not exist
  39.  
  40.        ValueError: If the secret is not properly configured for rotation
  41.  
  42.        KeyError: If the secret json does not contain the expected keys
  43.  
  44.    """
  45.     arn = event['SecretId']
  46.     token = event['ClientRequestToken']
  47.     step = event['Step']
  48.  
  49.     # Setup the client
  50.     service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])
  51.  
  52.     # Make sure the version is staged correctly
  53.     metadata = service_client.describe_secret(SecretId=arn)
  54.     if "RotationEnabled" in metadata and not metadata['RotationEnabled']:
  55.         logger.error("Secret %s is not enabled for rotation" % arn)
  56.         raise ValueError("Secret %s is not enabled for rotation" % arn)
  57.     versions = metadata['VersionIdsToStages']
  58.     if token not in versions:
  59.         logger.error("Secret version %s has no stage for rotation of secret %s." % (token, arn))
  60.         raise ValueError("Secret version %s has no stage for rotation of secret %s." % (token, arn))
  61.     if "AWSCURRENT" in versions[token]:
  62.         logger.info("Secret version %s already set as AWSCURRENT for secret %s." % (token, arn))
  63.         return
  64.     elif "AWSPENDING" not in versions[token]:
  65.         logger.error("Secret version %s not set as AWSPENDING for rotation of secret %s." % (token, arn))
  66.         raise ValueError("Secret version %s not set as AWSPENDING for rotation of secret %s." % (token, arn))
  67.  
  68.     # Call the appropriate step
  69.     if step == "createSecret":
  70.         create_secret(service_client, arn, token)
  71.  
  72.     elif step == "setSecret":
  73.         set_secret(service_client, arn, token)
  74.  
  75.     elif step == "testSecret":
  76.         test_secret(service_client, arn, token)
  77.  
  78.     elif step == "finishSecret":
  79.         finish_secret(service_client, arn, token)
  80.  
  81.     else:
  82.         logger.error("lambda_handler: Invalid step parameter %s for secret %s" % (step, arn))
  83.         raise ValueError("Invalid step parameter %s for secret %s" % (step, arn))
  84.  
  85.  
  86. def create_secret(service_client, arn, token):
  87.     """Generate a new secret
  88.  
  89.    This method first checks for the existence of a secret for the passed in token. If one does not exist, it will generate a
  90.    new secret and put it with the passed in token.
  91.  
  92.    Args:
  93.        service_client (client): The secrets manager service client
  94.  
  95.        arn (string): The secret ARN or other identifier
  96.  
  97.        token (string): The ClientRequestToken associated with the secret version
  98.  
  99.    Raises:
  100.        ValueError: If the current secret is not valid JSON
  101.  
  102.        KeyError: If the secret json does not contain the expected keys
  103.  
  104.    """
  105.     # Make sure the current secret exists
  106.     current_dict = get_secret_dict(service_client, arn, "AWSCURRENT")
  107.  
  108.     # Now try to get the secret version, if that fails, put a new secret
  109.     try:
  110.         get_secret_dict(service_client, arn, "AWSPENDING", token)
  111.         logger.info("createSecret: Successfully retrieved secret for %s." % arn)
  112.     except service_client.exceptions.ResourceNotFoundException:
  113.         # Generate a random password
  114.         passwd = service_client.get_random_password(ExcludeCharacters='/@"\'\\')
  115.         current_dict['password'] = passwd['RandomPassword']
  116.  
  117.         # Put the secret
  118.         service_client.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString=json.dumps(current_dict), VersionStages=['AWSPENDING'])
  119.         logger.info("createSecret: Successfully put secret for ARN %s and version %s." % (arn, token))
  120.  
  121.  
  122. def set_secret(service_client, arn, token):
  123.     """Set the pending secret in the database
  124.  
  125.    This method tries to login to the database with the AWSPENDING secret and returns on success. If that fails, it
  126.    tries to login with the AWSCURRENT and AWSPREVIOUS secrets. If either one succeeds, it sets the AWSPENDING password
  127.    as the user password in the database. Else, it throws a ValueError.
  128.  
  129.    Args:
  130.        service_client (client): The secrets manager service client
  131.  
  132.        arn (string): The secret ARN or other identifier
  133.  
  134.        token (string): The ClientRequestToken associated with the secret version
  135.  
  136.    Raises:
  137.        ResourceNotFoundException: If the secret with the specified arn and stage does not exist
  138.  
  139.        ValueError: If the secret is not valid JSON or valid credentials are found to login to the database
  140.  
  141.        KeyError: If the secret json does not contain the expected keys
  142.  
  143.    """
  144.     # First try to login with the pending secret, if it succeeds, return
  145.     pending_dict = get_secret_dict(service_client, arn, "AWSPENDING", token)
  146.     conn = get_connection(pending_dict)
  147.     if conn:
  148.         conn.close()
  149.         logger.info("setSecret: AWSPENDING secret is already set as password in PostgreSQL DB for secret arn %s." % arn)
  150.         return
  151.  
  152.     # Now try the current password
  153.     conn = get_connection(get_secret_dict(service_client, arn, "AWSCURRENT"))
  154.     if not conn:
  155.         # If both current and pending do not work, try previous
  156.         try:
  157.             conn = get_connection(get_secret_dict(service_client, arn, "AWSPREVIOUS"))
  158.         except service_client.exceptions.ResourceNotFoundException:
  159.             conn = None
  160.  
  161.     # If we still don't have a connection, raise a ValueError
  162.     if not conn:
  163.         logger.error("setSecret: Unable to log into database with previous, current, or pending secret of secret arn %s" % arn)
  164.         raise ValueError("Unable to log into database with previous, current, or pending secret of secret arn %s" % arn)
  165.  
  166.     # Now set the password to the pending password
  167.     try:
  168.         with conn.cursor() as cur:
  169.             alter_role = "ALTER USER %s" % pending_dict['username']
  170.             cur.execute(alter_role + " WITH PASSWORD %s", (pending_dict['password'],))
  171.             conn.commit()
  172.             logger.info("setSecret: Successfully set password for user %s in PostgreSQL DB for secret arn %s." % (pending_dict['username'], arn))
  173.     finally:
  174.         conn.close()
  175.  
  176.  
  177. def test_secret(service_client, arn, token):
  178.     """Test the pending secret against the database
  179.  
  180.    This method tries to log into the database with the secrets staged with AWSPENDING and runs
  181.    a permissions check to ensure the user has the corrrect permissions.
  182.  
  183.    Args:
  184.        service_client (client): The secrets manager service client
  185.  
  186.        arn (string): The secret ARN or other identifier
  187.  
  188.        token (string): The ClientRequestToken associated with the secret version
  189.  
  190.    Raises:
  191.        ResourceNotFoundException: If the secret with the specified arn and stage does not exist
  192.  
  193.        ValueError: If the secret is not valid JSON or valid credentials are found to login to the database
  194.  
  195.        KeyError: If the secret json does not contain the expected keys
  196.  
  197.    """
  198.     # Try to login with the pending secret, if it succeeds, return
  199.     conn = get_connection(get_secret_dict(service_client, arn, "AWSPENDING", token))
  200.     if conn:
  201.         # This is where the lambda will validate the user's permissions. Uncomment/modify the below lines to
  202.         # tailor these validations to your needs
  203.         try:
  204.             with conn.cursor() as cur:
  205.                 cur.execute("SELECT NOW()")
  206.                 conn.commit()
  207.         finally:
  208.             conn.close()
  209.  
  210.         logger.info("testSecret: Successfully signed into PostgreSQL DB with AWSPENDING secret in %s." % arn)
  211.         return
  212.     else:
  213.         logger.error("testSecret: Unable to log into database with pending secret of secret ARN %s" % arn)
  214.         raise ValueError("Unable to log into database with pending secret of secret ARN %s" % arn)
  215.  
  216.  
  217. def finish_secret(service_client, arn, token):
  218.     """Finish the rotation by marking the pending secret as current
  219.  
  220.    This method finishes the secret rotation by staging the secret staged AWSPENDING with the AWSCURRENT stage.
  221.  
  222.    Args:
  223.        service_client (client): The secrets manager service client
  224.  
  225.        arn (string): The secret ARN or other identifier
  226.  
  227.        token (string): The ClientRequestToken associated with the secret version
  228.  
  229.    """
  230.     # First describe the secret to get the current version
  231.     metadata = service_client.describe_secret(SecretId=arn)
  232.     current_version = None
  233.     for version in metadata["VersionIdsToStages"]:
  234.         if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:
  235.             if version == token:
  236.                 # The correct version is already marked as current, return
  237.                 logger.info("finishSecret: Version %s already marked as AWSCURRENT for %s" % (version, arn))
  238.                 return
  239.             current_version = version
  240.             break
  241.  
  242.     # Finalize by staging the secret version current
  243.     service_client.update_secret_version_stage(SecretId=arn, VersionStage="AWSCURRENT", MoveToVersionId=token, RemoveFromVersionId=current_version)
  244.     logger.info("finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s." % (version, arn))
  245.  
  246.  
  247. def get_connection(secret_dict):
  248.     """Gets a connection to PostgreSQL DB from a secret dictionary
  249.  
  250.    This helper function tries to connect to the database grabbing connection info
  251.    from the secret dictionary. If successful, it returns the connection, else None
  252.  
  253.    Args:
  254.        secret_dict (dict): The Secret Dictionary
  255.  
  256.    Returns:
  257.        Connection: The pgdb.Connection object if successful. None otherwise
  258.  
  259.    Raises:
  260.        KeyError: If the secret json does not contain the expected keys
  261.  
  262.    """
  263.     # Parse and validate the secret JSON string
  264.     port = int(secret_dict['port']) if 'port' in secret_dict else 5432
  265.     dbname = secret_dict['dbname'] if 'dbname' in secret_dict else "postgres"
  266.  
  267.     # Try to obtain a connection to the db
  268.     try:
  269.         conn = pgdb.connect(host=secret_dict['host'], user=secret_dict['username'], password=secret_dict['password'], database=dbname, port=port, connect_timeout=5)
  270.         return conn
  271.     except pg.InternalError:
  272.         return None
  273.  
  274.  
  275. def get_secret_dict(service_client, arn, stage, token=None):
  276.     """Gets the secret dictionary corresponding for the secret arn, stage, and token
  277.  
  278.    This helper function gets credentials for the arn and stage passed in and returns the dictionary by parsing the JSON string
  279.  
  280.    Args:
  281.        service_client (client): The secrets manager service client
  282.  
  283.        arn (string): The secret ARN or other identifier
  284.  
  285.        token (string): The ClientRequestToken associated with the secret version, or None if no validation is desired
  286.  
  287.        stage (string): The stage identifying the secret version
  288.  
  289.    Returns:
  290.        SecretDictionary: Secret dictionary
  291.  
  292.    Raises:
  293.        ResourceNotFoundException: If the secret with the specified arn and stage does not exist
  294.  
  295.        ValueError: If the secret is not valid JSON
  296.  
  297.    """
  298.     required_fields = ['host', 'username', 'password']
  299.  
  300.     # Only do VersionId validation against the stage if a token is passed in
  301.     if token:
  302.         secret = service_client.get_secret_value(SecretId=arn, VersionId=token, VersionStage=stage)
  303.     else:
  304.         secret = service_client.get_secret_value(SecretId=arn, VersionStage=stage)
  305.     plaintext = secret['SecretString']
  306.     secret_dict = json.loads(plaintext)
  307.  
  308.     # Run validations against the secret
  309.     if 'engine' not in secret_dict or secret_dict['engine'] != 'postgres':
  310.         raise KeyError("Database engine must be set to 'postgres' in order to use this rotation lambda")
  311.     for field in required_fields:
  312.         if field not in secret_dict:
  313.             raise KeyError("%s key is missing from secret JSON" % field)
  314.  
  315.     # Parse and return the secret JSON string
  316.     return secret_dict
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!