feat: Add AWS SigV4 authentication support for OpenSearch and OpenSearch Serverless#357
Open
MgeeeeK wants to merge 2 commits intoAiven-Open:mainfrom
Open
feat: Add AWS SigV4 authentication support for OpenSearch and OpenSearch Serverless#357MgeeeeK wants to merge 2 commits intoAiven-Open:mainfrom
MgeeeeK wants to merge 2 commits intoAiven-Open:mainfrom
Conversation
…rch Serverless
This commit adds support for authenticating to Amazon OpenSearch Service and
Amazon OpenSearch Serverless (AOSS) using AWS SigV4 signing with IAM credentials.
Changes:
- Add OpensearchAwsAuthConfigurator implementing SPI interfaces for AWS auth
- Add AWS SDK dependencies (auth, regions, sts, http-auth-aws)
- Add aws-request-signing-apache-interceptor for HTTP request signing
- Update RequestBuilder to handle AOSS (no explicit document IDs)
- Register AWS auth configurator in META-INF services
The implementation supports:
- IAM Roles for Service Accounts (IRSA) in Kubernetes
- Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
- EC2 instance profiles
- AWS profiles via DefaultCredentialsProvider chain
Configuration:
- aws.auth.region: AWS region (e.g., us-west-2)
- aws.auth.service.name: Service name ("es" or "aoss")
|
@willyborankin It's worth reviewing this PR as well, as it implements usage of Thanks for the work you're putting into this |
Collaborator
I already added this functionality in the new version. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for authenticating to Amazon OpenSearch Service and Amazon OpenSearch Serverless (AOSS) using AWS SigV4 signing with IAM credentials.
Changes
OpensearchAwsAuthConfiguratorimplementing SPI interfaces for AWS authenticationRequestBuilderto handle AOSS requirement (no explicit document IDs)Features
The implementation supports multiple credential sources via AWS SDK's
DefaultCredentialsProviderchain:AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)Configuration
New connector configuration properties:
aws.auth.region: AWS region for SigV4 signing (e.g.,us-west-2) - Requiredaws.auth.service.name: Service name for SigV4 signing -esfor OpenSearch Service oraossfor OpenSearch Serverless - RequiredExample Configuration
{ "connection.url": "https://search-domain.us-west-2.es.amazonaws.com", "aws.auth.region": "us-west-2", "aws.auth.service.name": "es" }Testing
Tested with:
Notes
aws.auth.service.name=aoss