From ebeeab3f582ab7611621c9f6cf0c030c61453c8c Mon Sep 17 00:00:00 2001 From: Patrick Doyle <810052+prdoyle@users.noreply.github.com> Date: Thu, 6 Mar 2025 10:09:03 -0500 Subject: [PATCH] Entitle inference to access AWS credentials (#123750) * Entitle inference to access AWS credentials. Copied from the security policy. * more missing entitlements for the inference plugin --------- Co-authored-by: Lorenzo Dematte --- .../plugin-metadata/entitlement-policy.yaml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/x-pack/plugin/inference/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/inference/src/main/plugin-metadata/entitlement-policy.yaml index 41383d0b6736a..641f68985a710 100644 --- a/x-pack/plugin/inference/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/inference/src/main/plugin-metadata/entitlement-policy.yaml @@ -1,2 +1,35 @@ com.google.api.client: - set_https_connection_properties + - outbound_network +software.amazon.awssdk.utils: + - manage_threads + - outbound_network +# AmazonBedrockInferenceClient uses NettyNioAsyncHttpClient, so we grant network permissions (and thread permissions, +# as it is async) to the related modules +software.amazon.awssdk.http.nio.netty: + - manage_threads + - outbound_network +io.netty.common: + - outbound_network + - manage_threads + - files: + - path: "/etc/os-release" + mode: "read" + - path: "/usr/lib/os-release" + mode: "read" + - path: "/proc/sys/net/core/somaxconn" + mode: read +io.netty.transport: + - manage_threads + - outbound_network +# AWS Clients always try to access the credentials and config files, even if we configure otherwise +# This should be "fixed" (as in, it will handle SecurityException correctly) +# by https://github.com/aws/aws-sdk-java-v2/pull/5904. Once confirmed and libraries are updated, these could be removed. +software.amazon.awssdk.profiles: + - files: + - relative_path: .aws/credentials + relative_to: home + mode: read + - relative_path: .aws/config + relative_to: home + mode: read