Enhance credential management with multi-auth support and improved validation

Author: subash-onyx

backend/onyx/connectors/blob/connector.py

@@ -1,4 +1,5 @@
 import os
+import time
 from datetime import datetime
 from datetime import timezone
 from io import BytesIO
@@ -7,9 +8,11 @@
 
 import boto3  # type: ignore
 from botocore.client import Config  # type: ignore
+from botocore.credentials import RefreshableCredentials
 from botocore.exceptions import ClientError
 from botocore.exceptions import NoCredentialsError
 from botocore.exceptions import PartialCredentialsError
+from botocore.session import get_session
 from mypy_boto3_s3 import S3Client  # type: ignore
 
 from onyx.configs.app_configs import INDEX_BATCH_SIZE
@@ -61,7 +64,7 @@ def set_allow_images(self, allow_images: bool) -> None:
     def load_credentials(self, credentials: dict[str, Any]) -> dict[str, Any] | None:
         """Checks for boto3 credentials based on the bucket type.
         (1) R2: Access Key ID, Secret Access Key, Account ID
-        (2) S3: AWS Access Key ID, AWS Secret Access Key
+        (2) S3: AWS Access Key ID, AWS Secret Access Key or IAM role
         (3) GOOGLE_CLOUD_STORAGE: Access Key ID, Secret Access Key, Project ID
         (4) OCI_STORAGE: Namespace, Region, Access Key ID, Secret Access Key
 
@@ -95,17 +98,61 @@ def load_credentials(self, credentials: dict[str, Any]) -> dict[str, Any] | None
             )
 
         elif self.bucket_type == BlobType.S3:
-            if not all(
-                credentials.get(key)
-                for key in ["aws_access_key_id", "aws_secret_access_key"]
-            ):
-                raise ConnectorMissingCredentialError("Amazon S3")
-
-            session = boto3.Session(
-                aws_access_key_id=credentials["aws_access_key_id"],
-                aws_secret_access_key=credentials["aws_secret_access_key"],
+            # For S3, we can use either access keys or IAM roles.
+            authentication_method = credentials.get(
+                "authentication_method", "access_key"
+            )
+            logger.debug(
+                f"Using authentication method: {authentication_method} for S3 bucket."
             )
-            self.s3_client = session.client("s3")
+            if authentication_method == "access_key":
+                logger.debug("Using access key authentication for S3 bucket.")
+                if not all(
+                    credentials.get(key)
+                    for key in ["aws_access_key_id", "aws_secret_access_key"]
+                ):
+                    raise ConnectorMissingCredentialError("Amazon S3")
+
+                session = boto3.Session(
+                    aws_access_key_id=credentials["aws_access_key_id"],
+                    aws_secret_access_key=credentials["aws_secret_access_key"],
+                )
+                self.s3_client = session.client("s3")
+            elif authentication_method == "iam_role":
+                # If using IAM roles, we assume the role and let boto3 handle the credentials.
+                role_arn = credentials.get("aws_role_arn")
+                # create session name using timestamp
+                if not role_arn:
+                    raise ConnectorMissingCredentialError(
+                        "Amazon S3 IAM role ARN is required for assuming role."
+                    )
+
+                def _refresh_credentials() -> dict[str, str]:
+                    """Refreshes the credentials for the assumed role."""
+                    sts_client = boto3.client("sts")
+                    assumed_role_object = sts_client.assume_role(
+                        RoleArn=role_arn,
+                        RoleSessionName=f"onyx_blob_storage_{int(time.time())}",
+                    )
+                    creds = assumed_role_object["Credentials"]
+                    return {
+                        "access_key": creds["AccessKeyId"],
+                        "secret_key": creds["SecretAccessKey"],
+                        "token": creds["SessionToken"],
+                        "expiry_time": creds["Expiration"].isoformat(),
+                    }
+
+                refreshable = RefreshableCredentials.create_from_metadata(
+                    metadata=_refresh_credentials(),
+                    refresh_using=_refresh_credentials,
+                    method="sts-assume-role",
+                )
+                botocore_session = get_session()
+                botocore_session._credentials = refreshable  # type: ignore[attr-defined]
+                session = boto3.Session(botocore_session=botocore_session)
+                self.s3_client = session.client("s3")
+            else:
+                raise ConnectorValidationError("Invalid authentication method for S3. ")
 
         elif self.bucket_type == BlobType.GOOGLE_CLOUD_STORAGE:
             if not all(

web/src/components/credentials/actions/CreateCredential.tsx

@@ -29,6 +29,7 @@ import {
 } from "@/components/IsPublicGroupSelector";
 import { useUser } from "@/components/user/UserProvider";
 import CardSection from "@/components/admin/CardSection";
+import { CredentialFieldsRenderer } from "./CredentialFieldsRenderer";
 
 const CreateButton = ({
   onClick,
@@ -92,6 +93,7 @@ export default function CreateCredential({
   refresh?: () => void;
 }) {
   const [showAdvancedOptions, setShowAdvancedOptions] = useState(false);
+  const [authMethod, setAuthMethod] = useState<string>();
   const isPaidEnterpriseFeaturesEnabled = usePaidEnterpriseFeaturesEnabled();
 
   const { isAdmin } = useUser();
@@ -175,118 +177,122 @@ export default function CreateCredential({
   const credentialTemplate: dictionaryType = credentialTemplates[sourceType];
   const validationSchema = createValidationSchema(credentialTemplate);
 
+  // Set initial auth method for templates with multiple auth methods
+  const templateWithAuth = credentialTemplate as any;
+  const initialAuthMethod =
+    templateWithAuth?.authMethods?.[0]?.value || undefined;
+
   return (
     <Formik
       initialValues={
         {
           name: "",
           is_public: isAdmin || !isPaidEnterpriseFeaturesEnabled,
           groups: [],
+          ...(initialAuthMethod && {
+            authentication_method: initialAuthMethod,
+          }),
         } as formType
       }
       validationSchema={validationSchema}
       onSubmit={() => {}} // This will be overridden by our custom submit handlers
     >
-      {(formikProps) => (
-        <Form className="w-full flex items-stretch">
-          {!hideSource && (
-            <p className="text-sm">
-              Check our
-              <a
-                className="text-blue-600 hover:underline"
-                target="_blank"
-                href={getSourceDocLink(sourceType) || ""}
-              >
-                {" "}
-                docs{" "}
-              </a>
-              for information on setting up this connector.
-            </p>
-          )}
-          <CardSection className="w-full items-start dark:bg-neutral-900 mt-4 flex flex-col gap-y-6">
-            <TextFormField
-              name="name"
-              placeholder="(Optional) credential name.."
-              label="Name:"
-            />
-            {Object.entries(credentialTemplate).map(([key, val]) => {
-              if (typeof val === "boolean") {
-                return (
-                  <BooleanFormField
-                    key={key}
-                    name={key}
-                    label={getDisplayNameForCredentialKey(key)}
-                  />
-                );
-              }
-              return (
-                <TextFormField
-                  key={key}
-                  name={key}
-                  placeholder={val}
-                  label={getDisplayNameForCredentialKey(key)}
-                  type={
-                    key.toLowerCase().includes("token") ||
-                    key.toLowerCase().includes("password")
-                      ? "password"
-                      : "text"
-                  }
-                />
-              );
-            })}
-            {!swapConnector && (
-              <div className="mt-4 flex w-full flex-col sm:flex-row justify-between items-end">
-                <div className="w-full sm:w-3/4 mb-4 sm:mb-0">
-                  {isPaidEnterpriseFeaturesEnabled && (
-                    <div className="flex flex-col items-start">
-                      {isAdmin && (
-                        <AdvancedOptionsToggle
-                          showAdvancedOptions={showAdvancedOptions}
-                          setShowAdvancedOptions={setShowAdvancedOptions}
-                        />
-                      )}
-                      {(showAdvancedOptions || !isAdmin) && (
-                        <IsPublicGroupSelector
-                          formikProps={formikProps}
-                          objectName="credential"
-                          publicToWhom="Curators"
-                        />
-                      )}
-                    </div>
-                  )}
-                </div>
-                <div className="w-full sm:w-1/4">
-                  <CreateButton
-                    onClick={() =>
-                      handleSubmit(formikProps.values, formikProps, "create")
-                    }
-                    isSubmitting={formikProps.isSubmitting}
-                    isAdmin={isAdmin}
-                    groups={formikProps.values.groups}
-                  />
+      {(formikProps) => {
+        // Update authentication_method in formik when authMethod changes
+        if (
+          authMethod &&
+          formikProps.values.authentication_method !== authMethod
+        ) {
+          formikProps.setFieldValue("authentication_method", authMethod);
+        }
+
+        return (
+          <Form className="w-full flex items-stretch">
+            {!hideSource && (
+              <p className="text-sm">
+                Check our
+                <a
+                  className="text-blue-600 hover:underline"
+                  target="_blank"
+                  href={getSourceDocLink(sourceType) || ""}
+                >
+                  {" "}
+                  docs{" "}
+                </a>
+                for information on setting up this connector.
+              </p>
+            )}
+            <CardSection className="w-full items-start dark:bg-neutral-900 mt-4 flex flex-col gap-y-6">
+              <TextFormField
+                name="name"
+                placeholder="(Optional) credential name.."
+                label="Name:"
+              />
+
+              <CredentialFieldsRenderer
+                credentialTemplate={credentialTemplate}
+                authMethod={authMethod || initialAuthMethod}
+                setAuthMethod={setAuthMethod}
+              />
+
+              {!swapConnector && (
+                <div className="mt-4 flex w-full flex-col sm:flex-row justify-between items-end">
+                  <div className="w-full sm:w-3/4 mb-4 sm:mb-0">
+                    {isPaidEnterpriseFeaturesEnabled && (
+                      <div className="flex flex-col items-start">
+                        {isAdmin && (
+                          <AdvancedOptionsToggle
+                            showAdvancedOptions={showAdvancedOptions}
+                            setShowAdvancedOptions={setShowAdvancedOptions}
+                          />
+                        )}
+                        {(showAdvancedOptions || !isAdmin) && (
+                          <IsPublicGroupSelector
+                            formikProps={formikProps}
+                            objectName="credential"
+                            publicToWhom="Curators"
+                          />
+                        )}
+                      </div>
+                    )}
+                  </div>
+                  <div className="w-full sm:w-1/4">
+                    <CreateButton
+                      onClick={() =>
+                        handleSubmit(formikProps.values, formikProps, "create")
+                      }
+                      isSubmitting={formikProps.isSubmitting}
+                      isAdmin={isAdmin}
+                      groups={formikProps.values.groups}
+                    />
+                  </div>
                 </div>
+              )}
+            </CardSection>
+            {swapConnector && (
+              <div className="flex gap-x-4 w-full mt-8 justify-end">
+                <Button
+                  className="bg-rose-500 hover:bg-rose-400 border-rose-800"
+                  onClick={() =>
+                    handleSubmit(
+                      formikProps.values,
+                      formikProps,
+                      "createAndSwap"
+                    )
+                  }
+                  type="button"
+                  disabled={formikProps.isSubmitting}
+                >
+                  <div className="flex gap-x-2 items-center w-full border-none">
+                    <FaAccusoft />
+                    <p>Create</p>
+                  </div>
+                </Button>
               </div>
             )}
-          </CardSection>
-          {swapConnector && (
-            <div className="flex gap-x-4 w-full mt-8 justify-end">
-              <Button
-                className="bg-rose-500 hover:bg-rose-400 border-rose-800"
-                onClick={() =>
-                  handleSubmit(formikProps.values, formikProps, "createAndSwap")
-                }
-                type="button"
-                disabled={formikProps.isSubmitting}
-              >
-                <div className="flex gap-x-2 items-center w-full border-none">
-                  <FaAccusoft />
-                  <p>Create</p>
-                </div>
-              </Button>
-            </div>
-          )}
-        </Form>
-      )}
+          </Form>
+        );
+      }}
     </Formik>
   );
 }