Skip to content

[Buganizer ID: 497768505] AwsGuardDuty: identity federation support#930

Open
lemanczykp wants to merge 5 commits into
chronicle:mainfrom
lemanczykp:AWS_Guard_Duty
Open

[Buganizer ID: 497768505] AwsGuardDuty: identity federation support#930
lemanczykp wants to merge 5 commits into
chronicle:mainfrom
lemanczykp:AWS_Guard_Duty

Conversation

@lemanczykp

@lemanczykp lemanczykp commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Description

Added support for identity federation: https://aws.amazon.com/identity/federation/
What problem does this PR solve?

Clients needed a way to authenticate in AWS integrations other that using direct credentials (key,secret).

How does this PR solve the problem?
Now integration supports a way to use federated google account to authenticate and request temporary tokens on each run.


Checklist:

Please ensure you have completed the following items before submitting your PR.
This helps us review your contribution faster and more efficiently.

General Checks:

  • I have read and followed the project's contributing.md guide.
  • My code follows the project's coding style guidelines.
  • I have performed a self-review of my own code.
  • My changes do not introduce any new warnings.
  • My changes pass all existing tests.
  • I have added new tests where appropriate to cover my changes. (If applicable)
  • I have updated the documentation where necessary (e.g., README, API docs). (If applicable)

Open-Source Specific Checks:

  • My changes do not introduce any Personally Identifiable Information (PII) or sensitive customer data.
  • My changes do not expose any internal-only code examples, configurations, or URLs.
  • All code examples, comments, and messages are generic and suitable for a public repository.
  • I understand that any internal context or sensitive details related to this work are handled separately in internal systems (Buganizer for Google team members).

For Google Team Members and Reviewers Only:

  • I have included the Buganizer ID in the PR title or description (e.g., "Internal Buganizer ID: 123456789" or "Related Buganizer: go/buganizer/123456789").
  • I have ensured that all internal discussions and PII related to this work remain in Buganizer.
  • I have tagged the PR with one or more labels that reflect the pull request purpose.

@lemanczykp lemanczykp requested a review from a team as a code owner June 9, 2026 12:37
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enables identity federation for the AWS GuardDuty integration, allowing users to authenticate using Google Cloud OIDC. This change improves security by replacing static AWS access keys with temporary, short-lived tokens generated via AWS STS, while also simplifying credential management.

Highlights

  • Identity Federation Support: Added support for identity federation, allowing authentication via Google Cloud OIDC instead of static AWS credentials.
  • New Federation Logic: Introduced the AWSGuardDutyIdentityFederation class to handle OIDC token generation and AWS STS role assumption.
  • Configuration Updates: Updated connector and action configurations to include new parameters: Role ARN, Service Account JSON, and Workload Identity Email.
  • Refactored Parameter Extraction: Unified integration parameter extraction across all actions using a new utility function.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Marketplace Validation Failed

Click to view the full report

Validation Report

🧩 Integrations

aws_guard_duty

Validation Name Details
⚠️ SSL Integration Validation The default value of the 'Verify SSL' param in AWS GuardDuty must be a boolean true
⚠️ SSL Connectors Validation - AWS GuardDuty - Findings Connector is missing a 'Verify SSL' parameter
⚠️ Connectors Documentation Link Validation Integration 'aws_guard_duty' contains connectors with missing documentation link: - AWS GuardDuty - Findings Connector
⚠️ Fields Validation Action Parameter name: Useful? does not match the regex: ^[a-zA-Z0-9-'\s]+$|Verify SSL Ceritifcate?|Git Password/Token/SSH Key|EML/MSG Base64 String|Country(For multiple countries, provide comma-separated values)|Entity Identifier(s)|logzio_security_token|logzio_region|minimum_score|api_token|eyeglass_ip|API_Key|Alert_ID|Queue_State|logzio_operations_token|logzio_custom_endpoint|api_key|fields_to_search|severity_threshold|Entity Identifier(s) Type|Target Entity Identifier(s)|IOC_Enrichment|SLA (in minutes)|raw_json|alert_event_id|Additional_Data|page_size|sort_by|Data_Range|Incident_Key|Team_IDS|User_IDS|Service_IDS|Entity_State|Incidents_Statuses|from_time|to_time|Incident_ID|from_date|logzio_token|search_term|Ingest\ only\ alerts\ that\ have\ “is_security”\ attribute\ set\ to\ True?|Ingest\ only\ alerts\ that\ have\ “is_incident”\ attribute\ set\ to\ True?|Fetch\ Backwards\ Time\ Interval\ (minutes)|Events\ Padding\ Period\ (hours)|Is\ Exchange\ On-Prem?|Is\ Office365\ (Exchange\ Online)?|Extract\ urls\ from\ HTML\ email\ part?|Create\ a\ Separate\ Siemplify\ Alert\ per\ Attached\ Mail\ File?|Email\ Padding\ Period\ (minutes)|Tenant\ (Directory)\ ID|Should\ ingest\ only\ starred\ threats?|Should\ ingest\ threats\ related\ to\ incidents?|Use\ the\ same\ approach\ with\ event\ creation\ for\ all\ alert\ types?|Enable\ Fallback\ Logic\ Debug?|Create\ Chronicle\ SOAR\ Alerts\ for\ Sentinel\ incidents\ that\ do\ not\ have\ entities?|Incidents\ Padding\ Period\ (minutes)|Wait\ For\ Scheduled/NRT\ Alert\ Object|Api_Key|Fetch\ Private\ Notes?|Offenses\ Creation\ Timer\ (minutes)|What\ Value\ to\ use\ for\ the\ Name\ Field\ of\ Siemplify\ Alert?|What\ Value\ to\ use\ for\ the\ Rule\ Generator\ Field\ of\ Siemplify\ Alert?|Mask\ findings?|Events\ Padding\ Period\ (minutes)|Track\ New\ Events\ Threshold\ (hours)|Token\ Timeout\ (in\ Seconds)|Script\ Timeout\ (Seconds)|IPs/Ranges
⚠️ JSON Result Example Validation Actions with JSON results missing example files in resources/: GetDetectorDetails, CreateATrustedIPList, GetFindingDetails, ListDetectors, GetATrustedIPList, CreateDetector, ListThreatIntelligenceSets, GetThreatIntelligenceSetDetails, CreateThreatIntelligenceSet, ListFindingsForDetector, GetAllTrustedIPsLists
⚠️ Test Config Validation 'aws_guard_duty' is missing tests/config.json

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds Google Cloud Web Identity (OIDC) Federation authentication support to the AWS GuardDuty integration, introducing a new AWSGuardDutyIdentityFederation class and updating the manager, actions, and connector to support OIDC-based AWS role assumption. Feedback on the changes highlights a placeholder ValueError with a typo in utils.py that needs to be corrected, as well as style guide violations regarding the default value of the Verify SSL parameter in definition.yaml and a bare except block in AWSGuardDutyIdentityFederation.py.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread content/response_integrations/google/aws_guard_duty/core/utils.py
Comment thread content/response_integrations/google/aws_guard_duty/definition.yaml Outdated
@lemanczykp lemanczykp changed the title b/497768505 AwsGuardDuty: identity federation support [Buganizer ID: 497768505] AwsGuardDuty: identity federation support Jun 9, 2026
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Marketplace Validation Failed

Click to view the full report

Validation Report

🧩 Integrations

aws_guard_duty

Validation Name Details
⚠️ SSL Integration Validation The default value of the 'Verify SSL' param in AWS GuardDuty must be a boolean true
⚠️ SSL Connectors Validation - AWS GuardDuty - Findings Connector is missing a 'Verify SSL' parameter
⚠️ Connectors Documentation Link Validation Integration 'aws_guard_duty' contains connectors with missing documentation link: - AWS GuardDuty - Findings Connector
⚠️ Fields Validation Action Parameter name: Useful? does not match the regex: ^[a-zA-Z0-9-'\s]+$|Verify SSL Ceritifcate?|Git Password/Token/SSH Key|EML/MSG Base64 String|Country(For multiple countries, provide comma-separated values)|Entity Identifier(s)|logzio_security_token|logzio_region|minimum_score|api_token|eyeglass_ip|API_Key|Alert_ID|Queue_State|logzio_operations_token|logzio_custom_endpoint|api_key|fields_to_search|severity_threshold|Entity Identifier(s) Type|Target Entity Identifier(s)|IOC_Enrichment|SLA (in minutes)|raw_json|alert_event_id|Additional_Data|page_size|sort_by|Data_Range|Incident_Key|Team_IDS|User_IDS|Service_IDS|Entity_State|Incidents_Statuses|from_time|to_time|Incident_ID|from_date|logzio_token|search_term|Ingest\ only\ alerts\ that\ have\ “is_security”\ attribute\ set\ to\ True?|Ingest\ only\ alerts\ that\ have\ “is_incident”\ attribute\ set\ to\ True?|Fetch\ Backwards\ Time\ Interval\ (minutes)|Events\ Padding\ Period\ (hours)|Is\ Exchange\ On-Prem?|Is\ Office365\ (Exchange\ Online)?|Extract\ urls\ from\ HTML\ email\ part?|Create\ a\ Separate\ Siemplify\ Alert\ per\ Attached\ Mail\ File?|Email\ Padding\ Period\ (minutes)|Tenant\ (Directory)\ ID|Should\ ingest\ only\ starred\ threats?|Should\ ingest\ threats\ related\ to\ incidents?|Use\ the\ same\ approach\ with\ event\ creation\ for\ all\ alert\ types?|Enable\ Fallback\ Logic\ Debug?|Create\ Chronicle\ SOAR\ Alerts\ for\ Sentinel\ incidents\ that\ do\ not\ have\ entities?|Incidents\ Padding\ Period\ (minutes)|Wait\ For\ Scheduled/NRT\ Alert\ Object|Api_Key|Fetch\ Private\ Notes?|Offenses\ Creation\ Timer\ (minutes)|What\ Value\ to\ use\ for\ the\ Name\ Field\ of\ Siemplify\ Alert?|What\ Value\ to\ use\ for\ the\ Rule\ Generator\ Field\ of\ Siemplify\ Alert?|Mask\ findings?|Events\ Padding\ Period\ (minutes)|Track\ New\ Events\ Threshold\ (hours)|Token\ Timeout\ (in\ Seconds)|Script\ Timeout\ (Seconds)|IPs/Ranges
⚠️ JSON Result Example Validation Actions with JSON results missing example files in resources/: GetDetectorDetails, CreateATrustedIPList, GetFindingDetails, ListDetectors, GetATrustedIPList, CreateDetector, ListThreatIntelligenceSets, GetThreatIntelligenceSetDetails, CreateThreatIntelligenceSet, ListFindingsForDetector, GetAllTrustedIPsLists
⚠️ Test Config Validation 'aws_guard_duty' is missing tests/config.json

1 similar comment
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Marketplace Validation Failed

Click to view the full report

Validation Report

🧩 Integrations

aws_guard_duty

Validation Name Details
⚠️ SSL Integration Validation The default value of the 'Verify SSL' param in AWS GuardDuty must be a boolean true
⚠️ SSL Connectors Validation - AWS GuardDuty - Findings Connector is missing a 'Verify SSL' parameter
⚠️ Connectors Documentation Link Validation Integration 'aws_guard_duty' contains connectors with missing documentation link: - AWS GuardDuty - Findings Connector
⚠️ Fields Validation Action Parameter name: Useful? does not match the regex: ^[a-zA-Z0-9-'\s]+$|Verify SSL Ceritifcate?|Git Password/Token/SSH Key|EML/MSG Base64 String|Country(For multiple countries, provide comma-separated values)|Entity Identifier(s)|logzio_security_token|logzio_region|minimum_score|api_token|eyeglass_ip|API_Key|Alert_ID|Queue_State|logzio_operations_token|logzio_custom_endpoint|api_key|fields_to_search|severity_threshold|Entity Identifier(s) Type|Target Entity Identifier(s)|IOC_Enrichment|SLA (in minutes)|raw_json|alert_event_id|Additional_Data|page_size|sort_by|Data_Range|Incident_Key|Team_IDS|User_IDS|Service_IDS|Entity_State|Incidents_Statuses|from_time|to_time|Incident_ID|from_date|logzio_token|search_term|Ingest\ only\ alerts\ that\ have\ “is_security”\ attribute\ set\ to\ True?|Ingest\ only\ alerts\ that\ have\ “is_incident”\ attribute\ set\ to\ True?|Fetch\ Backwards\ Time\ Interval\ (minutes)|Events\ Padding\ Period\ (hours)|Is\ Exchange\ On-Prem?|Is\ Office365\ (Exchange\ Online)?|Extract\ urls\ from\ HTML\ email\ part?|Create\ a\ Separate\ Siemplify\ Alert\ per\ Attached\ Mail\ File?|Email\ Padding\ Period\ (minutes)|Tenant\ (Directory)\ ID|Should\ ingest\ only\ starred\ threats?|Should\ ingest\ threats\ related\ to\ incidents?|Use\ the\ same\ approach\ with\ event\ creation\ for\ all\ alert\ types?|Enable\ Fallback\ Logic\ Debug?|Create\ Chronicle\ SOAR\ Alerts\ for\ Sentinel\ incidents\ that\ do\ not\ have\ entities?|Incidents\ Padding\ Period\ (minutes)|Wait\ For\ Scheduled/NRT\ Alert\ Object|Api_Key|Fetch\ Private\ Notes?|Offenses\ Creation\ Timer\ (minutes)|What\ Value\ to\ use\ for\ the\ Name\ Field\ of\ Siemplify\ Alert?|What\ Value\ to\ use\ for\ the\ Rule\ Generator\ Field\ of\ Siemplify\ Alert?|Mask\ findings?|Events\ Padding\ Period\ (minutes)|Track\ New\ Events\ Threshold\ (hours)|Token\ Timeout\ (in\ Seconds)|Script\ Timeout\ (Seconds)|IPs/Ranges
⚠️ JSON Result Example Validation Actions with JSON results missing example files in resources/: GetDetectorDetails, CreateATrustedIPList, GetFindingDetails, ListDetectors, GetATrustedIPList, CreateDetector, ListThreatIntelligenceSets, GetThreatIntelligenceSetDetails, CreateThreatIntelligenceSet, ListFindingsForDetector, GetAllTrustedIPsLists
⚠️ Test Config Validation 'aws_guard_duty' is missing tests/config.json

…ardDutyIdentityFederation.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: lemanczykp <lemanczyk@google.com>
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Marketplace Validation Failed

Click to view the full report

Validation Report

🧩 Integrations

aws_guard_duty

Validation Name Details
⚠️ SSL Connectors Validation - AWS GuardDuty - Findings Connector is missing a 'Verify SSL' parameter
⚠️ Connectors Documentation Link Validation Integration 'aws_guard_duty' contains connectors with missing documentation link: - AWS GuardDuty - Findings Connector
⚠️ Fields Validation Action Parameter name: Useful? does not match the regex: ^[a-zA-Z0-9-'\s]+$|Verify SSL Ceritifcate?|Git Password/Token/SSH Key|EML/MSG Base64 String|Country(For multiple countries, provide comma-separated values)|Entity Identifier(s)|logzio_security_token|logzio_region|minimum_score|api_token|eyeglass_ip|API_Key|Alert_ID|Queue_State|logzio_operations_token|logzio_custom_endpoint|api_key|fields_to_search|severity_threshold|Entity Identifier(s) Type|Target Entity Identifier(s)|IOC_Enrichment|SLA (in minutes)|raw_json|alert_event_id|Additional_Data|page_size|sort_by|Data_Range|Incident_Key|Team_IDS|User_IDS|Service_IDS|Entity_State|Incidents_Statuses|from_time|to_time|Incident_ID|from_date|logzio_token|search_term|Ingest\ only\ alerts\ that\ have\ “is_security”\ attribute\ set\ to\ True?|Ingest\ only\ alerts\ that\ have\ “is_incident”\ attribute\ set\ to\ True?|Fetch\ Backwards\ Time\ Interval\ (minutes)|Events\ Padding\ Period\ (hours)|Is\ Exchange\ On-Prem?|Is\ Office365\ (Exchange\ Online)?|Extract\ urls\ from\ HTML\ email\ part?|Create\ a\ Separate\ Siemplify\ Alert\ per\ Attached\ Mail\ File?|Email\ Padding\ Period\ (minutes)|Tenant\ (Directory)\ ID|Should\ ingest\ only\ starred\ threats?|Should\ ingest\ threats\ related\ to\ incidents?|Use\ the\ same\ approach\ with\ event\ creation\ for\ all\ alert\ types?|Enable\ Fallback\ Logic\ Debug?|Create\ Chronicle\ SOAR\ Alerts\ for\ Sentinel\ incidents\ that\ do\ not\ have\ entities?|Incidents\ Padding\ Period\ (minutes)|Wait\ For\ Scheduled/NRT\ Alert\ Object|Api_Key|Fetch\ Private\ Notes?|Offenses\ Creation\ Timer\ (minutes)|What\ Value\ to\ use\ for\ the\ Name\ Field\ of\ Siemplify\ Alert?|What\ Value\ to\ use\ for\ the\ Rule\ Generator\ Field\ of\ Siemplify\ Alert?|Mask\ findings?|Events\ Padding\ Period\ (minutes)|Track\ New\ Events\ Threshold\ (hours)|Token\ Timeout\ (in\ Seconds)|Script\ Timeout\ (Seconds)|IPs/Ranges
⚠️ JSON Result Example Validation Actions with JSON results missing example files in resources/: GetDetectorDetails, CreateATrustedIPList, GetFindingDetails, ListDetectors, GetATrustedIPList, CreateDetector, ListThreatIntelligenceSets, GetThreatIntelligenceSetDetails, CreateThreatIntelligenceSet, ListFindingsForDetector, GetAllTrustedIPsLists
⚠️ Test Config Validation 'aws_guard_duty' is missing tests/config.json

@github-actions

Copy link
Copy Markdown

Marketplace Validation Failed

Click to view the full report

Validation Report

🧩 Integrations

aws_guard_duty

Validation Name Details
⚠️ SSL Connectors Validation - AWS GuardDuty - Findings Connector is missing a 'Verify SSL' parameter
⚠️ Connectors Documentation Link Validation Integration 'aws_guard_duty' contains connectors with missing documentation link: - AWS GuardDuty - Findings Connector
⚠️ Fields Validation Action Parameter name: Useful? does not match the regex: ^[a-zA-Z0-9-'\s]+$|Verify SSL Ceritifcate?|Git Password/Token/SSH Key|EML/MSG Base64 String|Country(For multiple countries, provide comma-separated values)|Entity Identifier(s)|logzio_security_token|logzio_region|minimum_score|api_token|eyeglass_ip|API_Key|Alert_ID|Queue_State|logzio_operations_token|logzio_custom_endpoint|api_key|fields_to_search|severity_threshold|Entity Identifier(s) Type|Target Entity Identifier(s)|IOC_Enrichment|SLA (in minutes)|raw_json|alert_event_id|Additional_Data|page_size|sort_by|Data_Range|Incident_Key|Team_IDS|User_IDS|Service_IDS|Entity_State|Incidents_Statuses|from_time|to_time|Incident_ID|from_date|logzio_token|search_term|Ingest\ only\ alerts\ that\ have\ “is_security”\ attribute\ set\ to\ True?|Ingest\ only\ alerts\ that\ have\ “is_incident”\ attribute\ set\ to\ True?|Fetch\ Backwards\ Time\ Interval\ (minutes)|Events\ Padding\ Period\ (hours)|Is\ Exchange\ On-Prem?|Is\ Office365\ (Exchange\ Online)?|Extract\ urls\ from\ HTML\ email\ part?|Create\ a\ Separate\ Siemplify\ Alert\ per\ Attached\ Mail\ File?|Email\ Padding\ Period\ (minutes)|Tenant\ (Directory)\ ID|Should\ ingest\ only\ starred\ threats?|Should\ ingest\ threats\ related\ to\ incidents?|Use\ the\ same\ approach\ with\ event\ creation\ for\ all\ alert\ types?|Enable\ Fallback\ Logic\ Debug?|Create\ Chronicle\ SOAR\ Alerts\ for\ Sentinel\ incidents\ that\ do\ not\ have\ entities?|Incidents\ Padding\ Period\ (minutes)|Wait\ For\ Scheduled/NRT\ Alert\ Object|Api_Key|Fetch\ Private\ Notes?|Offenses\ Creation\ Timer\ (minutes)|What\ Value\ to\ use\ for\ the\ Name\ Field\ of\ Siemplify\ Alert?|What\ Value\ to\ use\ for\ the\ Rule\ Generator\ Field\ of\ Siemplify\ Alert?|Mask\ findings?|Events\ Padding\ Period\ (minutes)|Track\ New\ Events\ Threshold\ (hours)|Token\ Timeout\ (in\ Seconds)|Script\ Timeout\ (Seconds)|IPs/Ranges
⚠️ JSON Result Example Validation Actions with JSON results missing example files in resources/: ListDetectors, CreateDetector, GetAllTrustedIPsLists, GetFindingDetails, GetDetectorDetails, CreateATrustedIPList, GetATrustedIPList, CreateThreatIntelligenceSet, ListThreatIntelligenceSets, GetThreatIntelligenceSetDetails, ListFindingsForDetector
⚠️ Test Config Validation 'aws_guard_duty' is missing tests/config.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant