Fix 403 during execute connector (#4414)

b4sjoo · pyek-bot · commit 28dfdb69f28e · 2025-11-14T11:27:57.000-08:00
diff --git a/ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/agent/AgentUtils.java b/ml-algorithms/src/main/java/org/opensearch/ml/engine/algorithms/agent/AgentUtils.java
@@ -1044,51 +1044,60 @@ public static Map<String, Object> createMemoryParams(
             memoryParams.put(TENANT_ID_FIELD, mlAgent.getTenantId());
         }
         if (requestParameters != null) {
-            // Check if parameters are wrapped in remote_agent_memory_configuration
-            String remoteMemoryConfigStr = requestParameters.get("remote_agent_memory_configuration");
-            if (!Strings.isNullOrEmpty(remoteMemoryConfigStr)) {
-                // Parse the remote_agent_memory_configuration JSON
+            // Check if parameters are wrapped in memory_configuration
+            String memoryConfigStr = requestParameters.get("memory_configuration");
+            if (!Strings.isNullOrEmpty(memoryConfigStr)) {
+                // Parse the memory_configuration JSON
                 try (
                     XContentParser parser = JsonXContent.jsonXContent
-                        .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, remoteMemoryConfigStr)
+                        .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, memoryConfigStr)
                 ) {
                     ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.nextToken(), parser);
-                    Map<String, Object> remoteMemoryConfig = parser.map();
+                    Map<String, Object> memoryConfig = parser.map();
 
                     // Extract memory_container_id
-                    String memoryContainerIdParam = (String) remoteMemoryConfig.get(MEMORY_CONTAINER_ID_FIELD);
+                    String memoryContainerIdParam = (String) memoryConfig.get(MEMORY_CONTAINER_ID_FIELD);
                     if (!Strings.isNullOrEmpty(memoryContainerIdParam)) {
                         memoryParams.put(MEMORY_CONTAINER_ID_FIELD, memoryContainerIdParam);
                     }
 
                     // Extract endpoint
-                    String endpointParam = (String) remoteMemoryConfig.get(ENDPOINT_FIELD);
+                    String endpointParam = (String) memoryConfig.get(ENDPOINT_FIELD);
                     if (!Strings.isNullOrEmpty(endpointParam)) {
                         memoryParams.put(ENDPOINT_FIELD, endpointParam);
                     }
 
                     // Extract region
-                    String regionParam = (String) remoteMemoryConfig.get(HttpConnector.REGION_FIELD);
+                    String regionParam = (String) memoryConfig.get(HttpConnector.REGION_FIELD);
                     if (!Strings.isNullOrEmpty(regionParam)) {
                         memoryParams.put(HttpConnector.REGION_FIELD, regionParam);
                     }
 
                     // Extract credential
-                    Object credentialObj = remoteMemoryConfig.get(CREDENTIAL_FIELD);
+                    Object credentialObj = memoryConfig.get(CREDENTIAL_FIELD);
                     if (credentialObj instanceof Map) {
                         Map<String, String> credential = (Map<String, String>) credentialObj;
                         if (!credential.isEmpty()) {
                             memoryParams.put(CREDENTIAL_FIELD, credential);
                         }
                     }
 
+                    // Check for direct roleArn field - if present, override credential map
+                    String roleArnParam = (String) memoryConfig.get("roleArn");
+                    if (!Strings.isNullOrEmpty(roleArnParam)) {
+                        // Override credential with roleArn
+                        Map<String, String> roleArnCredential = new HashMap<>();
+                        roleArnCredential.put("roleArn", roleArnParam);
+                        memoryParams.put(CREDENTIAL_FIELD, roleArnCredential);
+                    }
+
                     // Extract user_id if provided
-                    String userIdParam = (String) remoteMemoryConfig.get("user_id");
+                    String userIdParam = (String) memoryConfig.get("user_id");
                     if (!Strings.isNullOrEmpty(userIdParam)) {
                         memoryParams.put("user_id", userIdParam);
                     }
                 } catch (Exception e) {
-                    log.error("Failed to parse remote_agent_memory_configuration", e);
+                    log.error("Failed to parse memory_configuration", e);
                 }
             }
             memoryParams.put(TENANT_ID_FIELD, mlAgent.getTenantId());
diff --git a/ml-algorithms/src/main/java/org/opensearch/ml/engine/memory/RemoteAgenticConversationMemory.java b/ml-algorithms/src/main/java/org/opensearch/ml/engine/memory/RemoteAgenticConversationMemory.java
@@ -1032,6 +1032,9 @@ private Connector createInlineConnector(String endpoint, String region, Map<Stri
                 credentials.putAll(credential);
             }
 
+            // Extract tenant ID from role ARN if applicable
+            String tenantId = extractTenantIdFromRoleArn(serviceName, credentials);
+
             // Create Memory Container API actions
             List<ConnectorAction> actions = createMemoryContainerActions();
 
@@ -1046,6 +1049,7 @@ private Connector createInlineConnector(String endpoint, String region, Map<Stri
                     .parameters(parameters)
                     .credential(credentials)
                     .actions(actions)
+                    .tenantId(tenantId)
                     .build();
             } else {
                 // Use HttpConnector for plain HTTP
@@ -1056,6 +1060,7 @@ private Connector createInlineConnector(String endpoint, String region, Map<Stri
                     .parameters(parameters)
                     .credential(credentials.isEmpty() ? null : credentials)
                     .actions(actions)
+                    .tenantId(null)
                     .build();
             }
 
@@ -1087,8 +1092,8 @@ private Connector createInlineConnector(String endpoint, String region, Map<Stri
             connector
                 .decrypt(
                     ConnectorAction.ActionType.EXECUTE.name(),
-                    (cred, tenantId) -> cred,  // No-op function - credentials are already plaintext
-                    null  // No tenant ID for inline connectors
+                    (cred, tenant) -> cred,  // No-op function - credentials are already plaintext
+                    tenantId
                 );
 
             return connector;
@@ -1211,6 +1216,48 @@ private String extractServiceName(String endpoint) {
             return "aoss";
         }
 
+        /**
+         * Extract dummy tenant ID from role ARN for AOSS services.
+         * Essentially we only need the front part (account ID) as client ID when in AOSS
+         *
+         * @param serviceName The AWS service name (aoss or es)
+         * @param credential The credential map that may contain roleArn
+         * @return Tenant ID in format "account:role" for AOSS, null for ES or if roleArn not present
+         *
+         * Example:
+         * - Input: serviceName="aoss", roleArn="arn:aws:iam::123456789012:role/role-name"
+         * - Output: "123456789012:role"
+         */
+        private String extractTenantIdFromRoleArn(String serviceName, Map<String, String> credential) {
+            // Return null for ES service
+            if (!"aoss".equals(serviceName)) {
+                return null;
+            }
+
+            // Check if credential map exists and contains roleArn
+            if (credential == null || !credential.containsKey("roleArn")) {
+                return null;
+            }
+
+            String roleArn = credential.get("roleArn");
+            if (Strings.isNullOrEmpty(roleArn)) {
+                return null;
+            }
+
+            // Expected format: arn:aws:iam::{account}:role/{role-name}
+            try {
+                String[] parts = roleArn.split(":");
+                if (parts.length >= 5 && "role".equals(parts[4])) {
+                    String account = parts[3];
+                    return account + ":role";
+                }
+            } catch (Exception e) {
+                log.error("Failed to parse roleArn: {}", roleArn, e);
+            }
+
+            return null;
+        }
+
         /**
          * Validate endpoint URL
          */
diff --git a/plugin/src/main/java/org/opensearch/ml/action/connector/ExecuteConnectorTransportAction.java b/plugin/src/main/java/org/opensearch/ml/action/connector/ExecuteConnectorTransportAction.java
@@ -107,10 +107,11 @@ private void executeWithConnector(
         ActionListener<MLTaskResponse> listener,
         boolean decryptWithEncryptor
     ) {
+        String connectorTenantId = connector.getTenantId();
         if (decryptWithEncryptor) {
-            connector.decrypt(action, (credential, tenantId) -> encryptor.decrypt(credential, null), null);
+            connector.decrypt(action, (credential, tenantId) -> encryptor.decrypt(credential, tenantId), connectorTenantId);
         } else {
-            connector.decrypt(action, (credential, tenantId) -> credential, null);
+            connector.decrypt(action, (credential, tenantId) -> credential, connectorTenantId);
         }
         RemoteConnectorExecutor connectorExecutor = MLEngineClassLoader.initInstance(connector.getProtocol(), connector, Connector.class);
         connectorExecutor.setConnectorPrivateIpEnabled(mlFeatureEnabledSetting.isConnectorPrivateIpEnabled());
