use of com.netflix.titus.ext.aws.AwsReactorExt in project titus-control-plane by Netflix.
the class AwsIamConnector method canAgentAssume.
@Override
public Mono<Void> canAgentAssume(String iamRoleName) {
return Mono.defer(() -> {
long startTime = registry.clock().wallTime();
// Check cache first
Either<Boolean, Throwable> lastCheck = canAssumeCache.getIfPresent(iamRoleName);
if (lastCheck != null) {
return lastCheck.hasValue() ? Mono.empty() : Mono.error(lastCheck.getError());
}
// Must call AWS STS service
return AwsReactorExt.<AssumeRoleRequest, AssumeRoleResult>toMono(() -> new AssumeRoleRequest().withRoleSessionName("titusIamRoleValidation").withRoleArn(iamRoleName).withDurationSeconds(MIN_ASSUMED_ROLE_DURATION_SEC), stsAgentClient::assumeRoleAsync).flatMap(response -> {
logger.debug("Assumed into: {}", iamRoleName);
canAssumeCache.put(iamRoleName, Either.ofValue(true));
connectorMetrics.success(IamConnectorMetrics.IamMethods.CanAgentAssume, startTime);
return Mono.<Void>empty();
}).onErrorMap(error -> {
logger.debug("Error: {}", error.getMessage());
connectorMetrics.failure(IamConnectorMetrics.IamMethods.CanAgentAssume, error, startTime);
String errorCode = ((AWSSecurityTokenServiceException) error).getErrorCode();
if ("AccessDenied".equals(errorCode)) {
// STS service returns access denied error with no additional clues. To get more insight we
// would have to make a call to IAM service, but this would require access to all client accounts.
IamConnectorException cannotAssumeError = IamConnectorException.iamRoleCannotAssume(iamRoleName, configuration.getDataPlaneAgentRoleArn());
canAssumeCache.put(iamRoleName, Either.ofError(cannotAssumeError));
return cannotAssumeError;
}
return IamConnectorException.iamRoleUnexpectedError(iamRoleName, error.getMessage());
});
});
}
Aggregations