add support for IAM auth to OpenSearch Serverless (#644)

Phil Varner · web-flow · commit 262703eb9233 · 2023-11-28T13:21:13.000Z
* add support for IAM auth to OpenSearch Serverless

* remove mod to serve
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased] - TBD
 
+### Added
+
+- Added support for AWS IAM authentication to AWS OpenSearch Serverless
+
 ### Changed
 
+- Replaced use of aws-os-connection library for AWS IAM authentication with support
+  in opensearch-js.
 - Default to OpenSearch 2.11
 
 ## [3.0.0] - 2023-11-09
@@ -380,7 +386,7 @@ Initial release, forked from [sat-api](https://github.com/sat-utils/sat-api/tree
 
 Compliant with STAC 0.9.0
 
-<!-- [Unreleased]: https://github.com/stac-utils/stac-api/compare/v2.4.0...main -->
+[Unreleased]: https://github.com/stac-utils/stac-api/compare/v2.4.0...main
 [3.0.0]: https://github.com/stac-utils/stac-api/compare/v2.4.0...v3.0.0
 [2.4.0]: https://github.com/stac-utils/stac-api/compare/v2.3.0...v2.4.0
 [2.3.0]: https://github.com/stac-utils/stac-api/compare/v2.2.3...v2.3.0
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -65,10 +65,10 @@
     "@aws-sdk/client-secrets-manager": "^3.441.0",
     "@aws-sdk/client-sns": "^3.431.0",
     "@aws-sdk/client-sqs": "^3.431.0",
+    "@aws-sdk/credential-provider-node": "^3.458.0",
     "@aws-sdk/s3-request-presigner": "^3.458.0",
     "@mapbox/extent": "^0.4.0",
     "@opensearch-project/opensearch": "^2.4.0",
-    "aws-os-connection": "^0.2.0",
     "cors": "^2.8.5",
     "express": "^4.18.2",
     "got": "^13.0.0",
@@ -85,9 +85,9 @@
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@tsconfig/node18": "^18.2.2",
     "@ava/typescript": "^4.1.0",
     "@stoplight/spectral-cli": "^6.11.0",
+    "@tsconfig/node18": "^18.2.2",
     "@types/aws-lambda": "^8.10.125",
     "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
diff --git a/src/lambdas/ingest/index.js b/src/lambdas/ingest/index.js
@@ -1,6 +1,6 @@
 /* eslint-disable import/prefer-default-export */
 import got from 'got' // eslint-disable-line import/no-unresolved
-import { createIndex } from '../../lib/databaseClient.js'
+import { createIndex } from '../../lib/database-client.js'
 import { ingestItems, publishResultsToSns } from '../../lib/ingest.js'
 import getObjectJson from '../../lib/s3-utils.js'
 import logger from '../../lib/logger.js'
diff --git a/src/lib/database-client.js b/src/lib/database-client.js
@@ -1,6 +1,8 @@
 import { Client } from '@opensearch-project/opensearch'
-import { createAWSConnection as createAWSConnectionOS, awsGetCredentials } from 'aws-os-connection'
 
+// eslint-disable-next-line import/no-unresolved
+import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws'
+import { defaultProvider } from '@aws-sdk/credential-provider-node'
 import { SecretsManager, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager'
 
 import collectionsIndexConfiguration from '../../fixtures/collections.js'
@@ -16,6 +18,17 @@ function createClientWithUsernameAndPassword(host, username, password) {
   })
 }
 
+function createClientWithAwsAuth(host) {
+  return new Client({
+    ...AwsSigv4Signer({
+      region: process.env['AWS_REGION'] || 'us-west-2',
+      service: host.endsWith('aoss.amazonaws.com') ? 'aoss' : 'es',
+      getCredentials: () => defaultProvider()(),
+    }),
+    node: host
+  })
+}
+
 // Connect to a search database instance
 export async function connect() {
   let client
@@ -42,11 +55,7 @@ export async function connect() {
     } else if (envUsername && envPassword) {
       client = createClientWithUsernameAndPassword(host, envUsername, envPassword)
     } else {
-      // authenticate with IAM, fine-grained perms not enabled
-      client = new Client({
-        ...createAWSConnectionOS(await awsGetCredentials()),
-        node: host
-      })
+      client = createClientWithAwsAuth(host)
     }
   }
 
diff --git a/src/lib/database.js b/src/lib/database.js
@@ -1,4 +1,4 @@
-import { dbClient as _client, createIndex } from './databaseClient.js'
+import { dbClient as _client, createIndex } from './database-client.js'
 import logger from './logger.js'
 
 const COLLECTIONS_INDEX = process.env['COLLECTIONS_INDEX'] || 'collections'
diff --git a/src/lib/ingest.js b/src/lib/ingest.js
@@ -1,6 +1,6 @@
 import { getItemCreated } from './database.js'
 import { addItemLinks, addCollectionLinks } from './api.js'
-import { dbClient, createIndex } from './databaseClient.js'
+import { dbClient, createIndex } from './database-client.js'
 import logger from './logger.js'
 import { publishRecordToSns } from './sns.js'
 import { isCollection, isItem } from './stac-utils.js'
diff --git a/tests/helpers/database.js b/tests/helpers/database.js
@@ -1,4 +1,4 @@
-import { connect, createIndex } from '../../src/lib/databaseClient.js'
+import { connect, createIndex } from '../../src/lib/database-client.js'
 
 /**
  * @returns {Promise<void>}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { dbClient as _client, createIndex } from './databaseClient.js'`
	`1`	`+import { dbClient as _client, createIndex } from './database-client.js'`
`2`	`2`	`import logger from './logger.js'`
`3`	`3`
`4`	`4`	`const COLLECTIONS_INDEX = process.env['COLLECTIONS_INDEX'] \|\| 'collections'`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { connect, createIndex } from '../../src/lib/databaseClient.js'`
	`1`	`+import { connect, createIndex } from '../../src/lib/database-client.js'`
`2`	`2`
`3`	`3`	`/**`
`4`	`4`	`* @returns {Promise<void>}`