Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,21 @@ set(EXTENSION_NAME ${TARGET_NAME}_extension)
project(${TARGET_NAME})
include_directories(src/include)

set(EXTENSION_SOURCES src/aws_extension.cpp src/aws_secret.cpp)
# Capture the duckdb-aws extension's git short SHA at build time. Surfaced
# at runtime as the `created-by-version` auto-tag on every stack the
# cloudformation_* functions create.
execute_process(
COMMAND git rev-parse --short HEAD
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
OUTPUT_VARIABLE DUCKDB_AWS_GIT_SHA
OUTPUT_STRIP_TRAILING_WHITESPACE
ERROR_QUIET)
if(NOT DUCKDB_AWS_GIT_SHA)
set(DUCKDB_AWS_GIT_SHA "unknown")
endif()
add_compile_definitions(DUCKDB_AWS_GIT_SHA="${DUCKDB_AWS_GIT_SHA}")

set(EXTENSION_SOURCES src/aws_extension.cpp src/aws_secret.cpp src/cloudformation_functions.cpp)
add_library(${EXTENSION_NAME} STATIC ${EXTENSION_SOURCES})

set(PARAMETERS "-warnings")
Expand All @@ -16,7 +30,7 @@ build_loadable_extension(${TARGET_NAME} ${PARAMETERS} ${EXTENSION_SOURCES})
# Weirdly we need to manually to this, otherwise linking against
# ${AWSSDK_LINK_LIBRARIES} fails for some reason
find_package(ZLIB REQUIRED)
find_package(AWSSDK REQUIRED COMPONENTS core sso sts identity-management rds)
find_package(AWSSDK REQUIRED COMPONENTS core sso sts identity-management rds cloudformation)

# Build static lib
target_include_directories(${EXTENSION_NAME}
Expand Down
3 changes: 3 additions & 0 deletions src/aws_extension.cpp
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#include "aws_secret.hpp"
#include "aws_extension.hpp"
#include "cloudformation_functions.hpp"

#include "duckdb.hpp"
#include "duckdb/common/exception.hpp"
Expand Down Expand Up @@ -146,6 +147,8 @@ static void LoadInternal(ExtensionLoader &loader) {
loader.RegisterFunction(function_set);

CreateAwsSecretFunctions::Register(loader);

CloudFormationFunctions::Register(loader);
}

void AwsExtension::Load(ExtensionLoader &loader) {
Expand Down
27 changes: 19 additions & 8 deletions src/aws_secret.cpp
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#include "aws_secret.hpp"
#include "aws_client.hpp"

#include "duckdb/common/case_insensitive_map.hpp"
#include "duckdb/common/exception.hpp"
Expand Down Expand Up @@ -43,14 +44,8 @@ static struct {
const string default_ = "exists";
} CreateAwsSecretValidation;

//! Build a ClientConfiguration with the detected CA file path applied (if any).
//! This is required because libcurl is statically linked from a RHEL-based
//! manylinux image, so its default CA path is /etc/pki/tls/certs/ca-bundle.crt,
//! which does not exist on Debian/Ubuntu/Alpine/etc. Without this, every
//! credentials provider that does its own HTTPS (SSO, STS, RDS, ...) fails the
//! TLS handshake before it can fetch any credentials.
//! See duckdb/duckdb#20652, duckdb/duckdb-aws#131.
static Aws::Client::ClientConfiguration BuildClientConfigWithCa() {
//! See aws_client.hpp for rationale.
Aws::Client::ClientConfiguration BuildClientConfigWithCa() {
Aws::Client::ClientConfiguration cfg;
if (!SELECTED_CURL_CERT_PATH.empty()) {
cfg.caFile = SELECTED_CURL_CERT_PATH;
Expand Down Expand Up @@ -509,6 +504,22 @@ static unique_ptr<BaseSecret> CreateAWSSecretFromCredentialChain(ClientContext &
return std::move(result);
}

std::shared_ptr<Aws::Auth::AWSCredentialsProvider>
BuildAwsCredentialsProvider(const std::string &chain, bool require_credentials, const std::string &profile,
const std::string &assume_role_arn, const std::string &external_id,
const std::string &web_identity_token_file, const std::string &session_name) {
if (chain.empty()) {
if (!profile.empty()) {
return Aws::MakeShared<Aws::Auth::ProfileConfigFileAWSCredentialsProvider>("DuckDBAwsProfile",
profile.c_str());
}
return Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>("DuckDBAwsDefault");
}
return Aws::MakeShared<DuckDBCustomAWSCredentialsProviderChain>("DuckDBCustomChain", chain, require_credentials,
profile, assume_role_arn, external_id,
web_identity_token_file, session_name);
}

void CreateAwsSecretFunctions::InitializeCurlCertificates(DatabaseInstance &db) {
for (string &caFile : certFileLocations) {
struct stat buf;
Expand Down
Loading
Loading