How to connect from SageMaker to Keyspaces (#19)

* Introducing SageMaker connection examples using Sig4V and server-generated credentials

* Introducing SageMaker connection examples using Sig4V and server-generated credentials.  
Grammar/style changes to Readme and notebook text.

* Added links to SigV4 for reference

* 1. Added  license short text to the notebook
2. Moved SageMaker directory under Python

* Changes URL for SageMaker examples

Co-authored-by: Vadim Lyakhovich <[email protected]>

Author: lyakhovv

CHANGELOG.md

@@ -1,2 +1,3 @@
 # CHANGELOG
 [0.0.1] Iniital Release
+[0.0.2] Added SageMaker section

README.md

@@ -25,6 +25,9 @@ This repo contains examples in each language supported by Amazon Keyspaces. This
 - [Ruby Examples](https://github.com/aws-samples/amazon-keyspaces-examples/tree/main/ruby)
 - [Python Examples](https://github.com/aws-samples/amazon-keyspaces-examples/tree/main/python)
 - [Scala Examples](https://github.com/aws-samples/amazon-keyspaces-examples/tree/main/scala)
+- [SageMaker (Python) Examples](https://github.com/aws-samples/amazon-keyspaces-examples/tree/main/python/datastax-v3/SageMaker)
+
+
 
 ## Learning Resources <a name="Learning"></a>
 While this is an excellent learning resource for Amazon Keyspaces, there are other resources that can be referenced to assist with your learning/development process.
@@ -39,4 +42,3 @@ If you have created an Amazon Keyspaces learning resource and would like it to b
 # License <a name="License"></a>
 
 This library is licensed under the MIT-0 License.
-

python/datastax-v3/SageMaker/connection-service-specific-credentials /README.md

@@ -0,0 +1,56 @@
+
+
+## Connecting to Amazon Keyspaces from SageMaker Notebook with Python
+
+
+This code shows how to connect to Amazon Keyspaces from SageMaker using [service-specific credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html).
+
+Service-specific credentials aren’t the only way to authenticate and authorize access to Amazon Keyspaces resources. We recommend using AWS authentication plugin for Cassandra drivers .
+
+
+### Prerequisites<a name="Prerequisites"></a></a>
+The Notebook execution role must include permissions to access Amazon Keyspaces and [Secret Manager](https://aws.amazon.com/secrets-manager/).
+
+*  To access Amazon Keyspaces database - use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the _least privileged approach_ for your production application.  
+See more at
+[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html).
+
+* To use AWS Secret Manager, the Notebooks execution role must include  [SecretsManagerReadWrite](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-policies.html) managed policy.
+
+
+
+### Security Configuration
+
+1. Generate [Keyspaces Service-Specific Credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html)
+
+
+        Example of a service-specific credential
+
+  ```
+        "ServiceSpecificCredential": {
+                "CreateDate": "2019-10-09T16:12:04Z",
+                "ServiceName": "cassandra.amazonaws.com",
+                "ServiceUserName": "keyspace-user1-at-11122223333",
+                "ServicePassword": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+                "ServiceSpecificCredentialId": "ACCAYFI33SINPGJEBYESF",
+                "UserName": " keyspace-user1",
+                "Status": "Active"
+            }
+        }
+  ```
+
+2. Store ServiceUserName and ServicePassword in the SecretManager.  As a best practice, we don't want to store credentials as a plain text in the SageMaker Notebooks.
+
+  In this example I'm using
+_Keyspaces_Server_Generated_credential_ as a Secret Name and _keyspaces_generated_id_ and _keyspaces_generated_pw_ fields to store Keyspaces ID and password.
+
+
+
+
+#### Note:
+Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html).
+
+This notebook was tested with conda_python3 kernel and should work with Python 3.x.
+
+### Running the sample
+*  Import Notebook into SageMaker 	

python/datastax-v3/SageMaker/connection-service-specific-credentials /SageMaker_Keyspaces_with_server_credentials.ipynb

@@ -0,0 +1,220 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "id": "0fb7f3db",
+   "metadata": {},
+   "source": [
+    "*Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved*  \n",
+    "\n",
+    "*SPDX-License-Identifier: MIT-0*    "
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "b78e5991",
+   "metadata": {},
+   "source": [
+    "---"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "81e637d6",
+   "metadata": {},
+   "source": [
+    "## Connecting to Amazon Keyspaces using server-side credentials \n",
+    "\n",
+    "This code shows how to connect to Amazon Keyspaces from SageMaker using an [service-specific credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html) for an existing AWS Identity and Access Management (IAM) user.\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "id": "8a1a923c",
+   "metadata": {},
+   "source": [
+    "Before we start we need to generate the Keyspaces credential and use SecretManager to securly store credentials. \n",
+    "\n",
+    "\n",
+    "1. Generate [Keyspaces Service-Specific Credentials](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html)\n",
+    "\n",
+    "\n",
+    "The following is an example of a service-specific credential .\n",
+    "\n",
+    "```\n",
+    "\"ServiceSpecificCredential\": {\n",
+    "        \"CreateDate\": \"2019-10-09T16:12:04Z\",\n",
+    "        \"ServiceName\": \"cassandra.amazonaws.com\",\n",
+    "        \"ServiceUserName\": \"keyspace-user1-at-11122223333\",\n",
+    "        \"ServicePassword\": \"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\",\n",
+    "        \"ServiceSpecificCredentialId\": \"ACCAYFI33SINPGJEBYESF\",\n",
+    "        \"UserName\": \" keyspace-user1\",\n",
+    "        \"Status\": \"Active\"\n",
+    "    }\n",
+    "}\n",
+    "```\n",
+    "\n",
+    "2. Store ServiceUserName and ServicePassword in the SecretManager.  As a best practice we don't want to store credential in SageMaker Notebooks in plain text. \n",
+    "\n",
+    "  In this example I'm using \n",
+    "*Keyspaces_Server_Generated_credential* as a Secret name and _keyspaces_generated_id_ and _keyspaces_generated_pw_ fields to store Keyspaces ID and password. \n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "a91e2ab0",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "#Import \n",
+    "from cassandra.cluster import Cluster\n",
+    "from ssl import SSLContext, PROTOCOL_TLSv1_2 , CERT_REQUIRED\n",
+    "from cassandra.auth import PlainTextAuthProvider\n",
+    "\n",
+    "ssl_context = SSLContext(PROTOCOL_TLSv1_2 )"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "68e63b3f",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "#Download certificate \n",
+    "!curl https://certs.secureserver.net/repository/sf-class2-root.crt -O "
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "a714c7dc",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Load certificate \n",
+    "ssl_context.load_verify_locations('sf-class2-root.crt') "
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "265d59f0",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "#Getting Credential from Secert Manager \n",
+    "#Need to have a SecretsManagerReadWrite Policy\n",
+    "\n",
+    "import boto3\n",
+    "import base64\n",
+    "from botocore.exceptions import ClientError\n",
+    "import json\n",
+    "\n",
+    "secret_name = \"Keyspaces_Server_Generated_credential\"\n",
+    "region_name = \"us-west-1\"\n",
+    "\n",
+    "# Create a Secrets Manager client\n",
+    "session = boto3.session.Session()\n",
+    "client = session.client(\n",
+    "    service_name='secretsmanager',\n",
+    "    region_name=region_name\n",
+    ")\n",
+    "\n",
+    "\n",
+    "get_secret_value_response = client.get_secret_value(\n",
+    "    SecretId=secret_name\n",
+    ")\n",
+    "\n",
+    "# Decrypts secret using the associated KMS CMK.\n",
+    "# Depending on whether the secret is a string or binary, one of these fields will be populated.\n",
+    "if 'SecretString' in get_secret_value_response:\n",
+    "    secret = json.loads(get_secret_value_response['SecretString'])\n",
+    "    ServiceUserName = secret['keyspaces_generated_id']\n",
+    "    ServicePassword = secret['keyspaces_generated_pw']\n",
+    "    print(\"id:\",ServiceUserName, \",  pw:\",ServicePassword)\n",
+    "else:\n",
+    "    decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])\n",
+    "             \n",
+    "            "
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "2a98e386",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "auth_provider = PlainTextAuthProvider(username=ServiceUserName, password=ServicePassword)"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "bad5758b",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "cluster = Cluster(['cassandra.us-west-1.amazonaws.com'], ssl_context=ssl_context, auth_provider=auth_provider, port=9142)\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "6b22f21d",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "session = cluster.connect()\n",
+    "cql = \"select * from  system_schema.keyspaces \"\n",
+    "r = session.execute(cql)\n",
+    "print(r.current_rows)"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "eb124f18",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Load rows to Panda DataFrame \n",
+    "from pandas import DataFrame\n",
+    "\n",
+    "df = DataFrame(r)\n",
+    "print(df)"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "3c9b9169",
+   "metadata": {},
+   "outputs": [],
+   "source": []
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "conda_python3",
+   "language": "python",
+   "name": "conda_python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.6.13"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

python/datastax-v3/SageMaker/connection-sigv4/README.md

@@ -0,0 +1,41 @@
+## Connecting to Amazon Keyspaces from SageMaker Notebook with Python
+
+This code shows how to connect to Amazon Keyspaces from SageMaker using an authentication plugin for temporary credentials. This plugin enables IAM users, roles, and federated identities to add authentication information to Amazon Keyspaces API requests using the [AWS Signature Version 4 process (SigV4)](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) 
+
+In this example, we do NOT need to generate Keyspaces service-specific credentials.
+
+
+
+### Prerequisites
+
+The Notebook execution role must include permissions to access Amazon Keyspaces and Assume the role.
+
+*  To access Amazon Keyspaces database - use AmazonKeyspacesReadOnlyAccess or AmazonKeyspacesFullAccess managed policies. Use the _least privileged approach_ for your production application.  
+See more at
+[AWS Identity and Access Management for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/security-iam.html).
+
+* To assume the role, you need to have [sts:AssumeRole action](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) permissions.
+    ```
+    {
+      "Version": "2012-10-17",  
+      "Statement": [  
+        {  
+           "Action": [  
+           "sts:AssumeRole"  
+          ],  
+          "Effect": "Allow",  
+          "Resource": "*"  
+        }
+      ]
+    }
+    ```
+
+#### Note:
+Amazon Keyspaces is available in the following [AWS Regions](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html).
+
+This notebook was tested with conda_python3 kernel and should work with Python 3.x.
+
+
+
+### Running the sample
+*  Import Notebook into SageMaker