Skip to content

feat: Allow providing agent user credentials as a secrets manager secret#187

Merged
hindleym merged 4 commits intoaws-deadline:mainlinefrom
hindleym:hindleym-creds-and-worker-cleanup
Apr 29, 2025
Merged

feat: Allow providing agent user credentials as a secrets manager secret#187
hindleym merged 4 commits intoaws-deadline:mainlinefrom
hindleym:hindleym-creds-and-worker-cleanup

Conversation

@hindleym
Copy link
Contributor

@hindleym hindleym commented Apr 26, 2025

What was the problem/requirement? (What/Why)

  • Existing Windows worker test-fixtures created a temporary password for the agent user when installing the deadline worker. This meant that reusing or logging in as that worker agent user for debugging required resetting the password within the instance as Administrator.

What was the solution? (How)

  • If an AWS Secrets Manager secret is provided with the configuration, the Windows worker will be installed with the corresponding password.
  • There was also warnings about incorrect escape characters and some additional cleanup mentioned in PR-185

What is the impact of this change?

  • There should be no impact.

How was this change tested?

  • Locally verified the worker-agent Windows and Linux E2E tests were successful.
  • Locally verified the test-fixture tests were successful.

Was this change documented?

  • No

Is this a breaking change?

  • No

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@hindleym
test: Include providing agent user credentials to worker install
b53b28a 
Signed-off-by: Church Hindley <59745380+hindleym@users.noreply.github.com>
@hindleym hindleym requested a review from a team as a code owner April 26, 2025 00:06
@hindleym
test: Formatting
68d5cc1 
Signed-off-by: Church Hindley <59745380+hindleym@users.noreply.github.com>
@hindleym
Copy link
Contributor Author

hindleym commented Apr 28, 2025

Related test and changes in the deadline-cloud-worker-agent that I wrote, are in my forked branch here. These changes build on top of PR-603

jusiskin
jusiskin suggested changes Apr 28, 2025
View reviewed changes
Copy link
Contributor

@jusiskin jusiskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one suggestion to improve the secret handling.

src/deadline_test_fixtures/deadline/worker.py Outdated

password = None
if config.windows_user_secret:
user_secret = self.get_windows_user_secret(secret_id=config.windows_user_secret)
Copy link
Contributor

@jusiskin jusiskin Apr 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, the test runner is the one fetching the value of the secret, but then putting the secret in the contents of the SSM run command.

To avoid sending the password in the SSM command, we could instead have the worker fetch the secret value and construct the argument to --password. It would require granting the instance profile permissions to retrieve the secret value (secretsmanager:GetSecretValue).

What do you think?

@jusiskin
Copy link
Contributor

jusiskin commented Apr 28, 2025

One more suggestion is that the PR title and commit titles all have the test: prefix.

I know in the worker agent repository we use that prefix when changing tests, but in this repository, the changes are functional since this package is providing functionality for building tests for Deadline Cloud.

In the case of this PR, I think we want to switch to something like:

feat: allow providing agent user credentials as a secrets manager secret

What do you think?

@hindleym
feat: allow providing agent user credentials as a secrets manager secret
5e73a76 
Signed-off-by: Church Hindley <59745380+hindleym@users.noreply.github.com>
@hindleym hindleym changed the title test: Include providing agent user credentials to Windows worker install feat: allow providing agent user credentials as a secrets manager secret Apr 28, 2025
@hindleym hindleym changed the title feat: allow providing agent user credentials as a secrets manager secret feat: Allow providing agent user credentials as a secrets manager secret Apr 28, 2025
@hindleym
feat: Allow providing agent user credentials - Revert and update the …
7ead1ee 
…configure worker command

Signed-off-by: Church Hindley <59745380+hindleym@users.noreply.github.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 29, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@hindleym hindleym requested a review from jusiskin April 29, 2025 16:05
jusiskin
jusiskin approved these changes Apr 29, 2025
View reviewed changes
Copy link
Contributor

@jusiskin jusiskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just a small suggestion to make this new method a private API so that consumers of deadline-cloud-test-fixtures don't depend on it directly.

This is not critical to merge, but it helps keep this an implementation detail and not something we need to maintain.

leongdl
leongdl reviewed Apr 29, 2025
View reviewed changes
Copy link
Contributor

@leongdl leongdl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add _ as requested by Josh.

@hindleym hindleym merged commit e49691c into aws-deadline:mainline Apr 29, 2025
16 checks passed
@hindleym hindleym deleted the hindleym-creds-and-worker-cleanup branch April 29, 2025 17:52
@client-software-ci client-software-ci mentioned this pull request Apr 30, 2025
Merged
@client-software-ci client-software-ci mentioned this pull request Oct 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leongdl leongdl leongdl approved these changes

+1 more reviewer

@jusiskin jusiskin jusiskin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hindleym @jusiskin @leongdl