Adding authentication setting and validation for kinesis destination #3378
Conversation
New required fields detectedWarning Your PR adds new required fields to an existing destination. Adding new required settings/mappings for a destination already in production requires updating existing customer destination configuration. Ignore this warning if this PR is for a new destination with no active customers in production. The following required fields were added in this PR:
Add these new fields as optional instead and assume default values in |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3378 +/- ##
==========================================
+ Coverage 80.00% 80.03% +0.03%
==========================================
Files 1211 1214 +3
Lines 22353 22387 +34
Branches 4411 4414 +3
==========================================
+ Hits 17884 17918 +34
Misses 3689 3689
Partials 780 780 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull Request Overview
This PR implements IAM role assumption authentication for the AWS Kinesis destination. The changes enable secure access to AWS Kinesis streams using role-based authentication with external IDs.
- Adds IAM role-based authentication with ARN validation
- Implements STS role assumption with intermediary role support
- Adds comprehensive test coverage for authentication and validation logic
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
packages/destination-actions/src/lib/AWS/utils.ts |
Introduces APP_AWS_REGION constant with default fallback |
packages/destination-actions/src/lib/AWS/sts.ts |
Adds assumeRole function implementing two-step role assumption |
packages/destination-actions/src/lib/AWS/__test__/index.test.ts |
Adds unit tests for assumeRole functionality |
packages/destination-actions/src/destinations/aws-kinesis/utils.ts |
Implements IAM Role ARN format validation |
packages/destination-actions/src/destinations/aws-kinesis/index.ts |
Updates authentication to use IAM roles with ARN validation |
packages/destination-actions/src/destinations/aws-kinesis/generated-types.ts |
Updates Settings interface with new authentication fields |
packages/destination-actions/src/destinations/aws-kinesis/__test__/utils.test.ts |
Adds comprehensive tests for ARN validation |
packages/destination-actions/src/destinations/aws-kinesis/__test__/index.test.ts |
Adds tests for destination authentication flow |
|
|
||
| // Mock dependencies | ||
| jest.mock('@aws-sdk/client-sts') | ||
| jest.mock('uuid', () => ({ v4: jest.fn(() => 'mocked-session-id') })) |
There was a problem hiding this comment.
The mock path is incorrect. The code imports from '@lukeed/uuid' but the mock is for 'uuid'. This will cause the mock to fail and the real uuid function to be called during tests. Change to: jest.mock('@lukeed/uuid', () => ({ v4: jest.fn(() => 'mocked-session-id') }))
| jest.mock('uuid', () => ({ v4: jest.fn(() => 'mocked-session-id') })) | |
| jest.mock('@lukeed/uuid', () => ({ v4: jest.fn(() => 'mocked-session-id') })) |
| } | ||
|
|
||
| const getSTSCredentials = async (roleId: string, externalId: string, region: string, credentials?: AWSCredentials) => { | ||
| const options = { credentials, region: region } |
There was a problem hiding this comment.
Redundant property assignment. Since the parameter is already named region, you can use object shorthand: const options = { credentials, region }
| const options = { credentials, region: region } | |
| const options = { credentials, region } |
| iamExternalId: { | ||
| label: 'IAM External ID', | ||
| description: | ||
| 'The external ID to use when assuming the IAM Role. Generate a secure string and treat it like a password. This is often used as an additional security measure.', |
There was a problem hiding this comment.
Extra space between sentences. Should have only one space after period.
| 'The external ID to use when assuming the IAM Role. Generate a secure string and treat it like a password. This is often used as an additional security measure.', | |
| 'The external ID to use when assuming the IAM Role. Generate a secure string and treat it like a password. This is often used as an additional security measure.', |
|
PR deployed |
Adding authentication setting and validation for kinesis destination. The authentication mechanism is by IAMRole and externalId where the clients will create IAM role which can be "assumed" by segment's provided IAM role and external Id.
We are only validating if the client provided role can be assumed by segment. We aren't verifying if we can send event to streams because stream configuration will be available at mapping stage.
Testing
Background
Created the below IAM role which allows that segment's IAM role can assume a role provided by clients.
arn:aws:iam::0000000000000:role/mdkhan-assume-role-for-kinesis-destinationTest Cases
Include any additional information about the testing you have completed to
ensure your changes behave as expected. For a speedy review, please check
any of the tasks you completed below during your testing.