ethyca-fides 2.59.2rc0__py2.py3-none-any.whl → 2.59.3b0__py2.py3-none-any.whl

fides/api/schemas/consentable_item.py

@@ -3,7 +3,6 @@ from typing import Dict, List, Literal, Optional
 from pydantic import BaseModel, Field
 
 from fides.api.models.consent_automation import ConsentableItem as ConsentableItemModel
-from fides.api.models.privacy_notice import UserConsentPreference
 from fides.api.schemas.base_class import FidesSchema
 
 
@@ -85,10 +84,8 @@ class ConsentWebhookResult(BaseModel):
 
     identity_map: Dict[
         Literal["email", "phone_number", "fides_user_device", "external_id"], str
-    ] = {}
-    notice_map: Dict[str, UserConsentPreference] = {}
-
-    @property
-    def success(self) -> bool:
-        """Returns true if both the identity map and notice map are not empty."""
-        return bool(self.identity_map) and bool(self.notice_map)
+    ] = Field(default_factory=dict, description="The identity of the user.")
+    notice_id_map: Dict[str, str] = Field(
+        default_factory=dict,
+        description="A map of privacy notice IDs to user consent preferences.",
+    )

fides/api/schemas/messaging/messaging.py

@@ -286,12 +286,19 @@ class MessagingServiceDetailsTwilioEmail(BaseModel):
 class MessagingServiceDetailsAWS_SES(BaseModel):
     """The details required to represent an AWS SES email configuration."""
 
-    email_from: str
-    domain: str
+    email_from: Optional[str] = None
+    domain: Optional[str] = None
     aws_region: str
 
     model_config = ConfigDict(extra="forbid")
 
+    @model_validator(mode="before")
+    @classmethod
+    def validate_fields(cls, values: Dict[str, Any]) -> Dict[str, Any]:
+        if not values.get("domain") and not values.get("email_from"):
+            raise ValueError("Either 'email_from' or 'domain' must be provided.")
+        return values
+
 
 class MessagingServiceSecrets(Enum):
     """Enum for message service secrets"""

fides/api/schemas/storage/storage.py

@@ -61,6 +61,20 @@ class StorageDetailsS3(FileBasedStorageDetails):
     model_config = ConfigDict(use_enum_values=True)
 
 
+class GCSAuthMethod(str, Enum):
+    ADC = "adc"  # Application Default Credentials
+    SERVICE_ACCOUNT_KEYS = "service_account_keys"
+
+
+class StorageDetailsGCS(FileBasedStorageDetails):
+    """The details required to represent a Google Cloud Storage bucket."""
+
+    auth_method: GCSAuthMethod
+    bucket: str
+    max_retries: Optional[int] = 0
+    model_config = ConfigDict(use_enum_values=True)
+
+
 class StorageDetailsLocal(FileBasedStorageDetails):
     """The details required to configurate local storage configuration"""
 
@@ -71,6 +85,8 @@ class StorageSecrets(Enum):
     # s3-specific
     AWS_ACCESS_KEY_ID = "aws_access_key_id"
     AWS_SECRET_ACCESS_KEY = "aws_secret_access_key"
+    REGION_NAME = "region_name"
+    AWS_ASSUME_ROLE = "assume_role_arn"
 
 
 class StorageSecretsLocal(BaseModel):
@@ -80,10 +96,27 @@ class StorageSecretsLocal(BaseModel):
 
 
 class StorageSecretsS3(BaseModel):
-    """The secrets required to connect to an S3 bucket."""
+    aws_access_key_id: Optional[str] = None
+    aws_secret_access_key: Optional[str] = None
+    region_name: Optional[str] = None
+    assume_role_arn: Optional[str] = None
+    model_config = ConfigDict(extra="forbid")
+
 
-    aws_access_key_id: str
-    aws_secret_access_key: str
+class StorageSecretsGCS(BaseModel):
+    """The secrets required to connect to a Google Cloud Storage bucket."""
+
+    type: str = "service_account"
+    project_id: str
+    private_key_id: str
+    private_key: str
+    client_email: str
+    client_id: str
+    auth_uri: str
+    token_uri: str
+    auth_provider_x509_cert_url: str
+    client_x509_cert_url: str
+    universe_domain: str
     model_config = ConfigDict(extra="forbid")
 
 
@@ -99,6 +132,7 @@ class StorageType(Enum):
 
 FULLY_CONFIGURED_STORAGE_TYPES = (
     StorageType.s3,
+    StorageType.gcs,
 )  # storage types that are considered "fully configured"
 
 
@@ -108,6 +142,7 @@ class StorageDestinationBase(BaseModel):
     type: StorageType
     details: Union[
         StorageDetailsS3,
+        StorageDetailsGCS,
         StorageDetailsLocal,
     ] = Field(validate_default=True)
     format: Optional[ResponseFormat] = ResponseFormat.json.value  # type: ignore
@@ -145,6 +180,7 @@ class StorageDestinationBase(BaseModel):
         try:
             schema = {
                 StorageType.s3.value: StorageDetailsS3,
+                StorageType.gcs.value: StorageDetailsGCS,
                 StorageType.local.value: StorageDetailsLocal,
             }[storage_type]
         except KeyError:
@@ -209,7 +245,7 @@ class BulkPutStorageConfigResponse(BulkResponse):
     failed: List[BulkUpdateFailed] = []
 
 
-SUPPORTED_STORAGE_SECRETS = StorageSecretsS3
+SUPPORTED_STORAGE_SECRETS = Union[StorageSecretsS3, StorageSecretsGCS]
 
 
 class StorageConfigStatus(Enum):

fides/api/schemas/storage/storage_secrets_docs_only.py

@@ -1,9 +1,15 @@
+from typing import Union
+
 from fides.api.schemas.base_class import NoValidationSchema
-from fides.api.schemas.storage.storage import StorageSecretsS3
+from fides.api.schemas.storage.storage import StorageSecretsGCS, StorageSecretsS3
 
 
 class StorageSecretsS3Docs(StorageSecretsS3, NoValidationSchema):
     """The secrets required to connect to S3, for documentation"""
 
 
-possible_storage_secrets = StorageSecretsS3Docs
+class StorageSecretsGCSDocs(StorageSecretsGCS, NoValidationSchema):
+    """The secrets required to connect to Google Cloud Storage, for documentation"""
+
+
+possible_storage_secrets = Union[StorageSecretsS3Docs, StorageSecretsGCSDocs]

fides/api/schemas/system.py

@@ -1,7 +1,7 @@
 from datetime import datetime
 from typing import Any, Dict, List, Optional, Sequence
 
-from fideslang.models import Cookies, PrivacyDeclaration, System
+from fideslang.models import PrivacyDeclaration, System
 from pydantic import ConfigDict, Field
 from pydantic.main import BaseModel
 
@@ -17,7 +17,6 @@ class PrivacyDeclarationResponse(PrivacyDeclaration):
     id: str = Field(
         description="The database-assigned ID of the privacy declaration on the system. This is meant to be a read-only field, returned only in API responses"
     )
-    cookies: Optional[List[Cookies]] = []
 
 
 class BasicSystemResponse(System):

fides/api/service/connectors/mysql_connector.py

@@ -1,10 +1,11 @@
-from typing import List
+from typing import Dict, List
 
 from sqlalchemy.engine import Engine, LegacyCursorResult, create_engine  # type: ignore
 
 from fides.api.graph.execution import ExecutionNode
 from fides.api.schemas.connection_configuration.connection_secrets_mysql import (
     MySQLSchema,
+    MySQLSSLMode,
 )
 from fides.api.service.connectors.query_configs.mysql_query_config import (
     MySQLQueryConfig,
@@ -69,16 +70,27 @@ class MySQLConnector(SQLConnector):
             uri = self.build_ssh_uri(local_address=self.ssh_server.local_bind_address)
         else:
             uri = (self.configuration.secrets or {}).get("url") or self.build_uri()
+        connect_args = self.get_connect_args()
         return create_engine(
             uri,
             hide_parameters=self.hide_parameters,
             echo=not self.hide_parameters,
+            connect_args=connect_args,
         )
 
     def query_config(self, node: ExecutionNode) -> SQLQueryConfig:
         """Query wrapper corresponding to the input execution_node."""
         return MySQLQueryConfig(node)
 
+    def get_connect_args(self) -> Dict[str, Dict[str, MySQLSSLMode]]:
+        """Get connection arguments for the engine"""
+        ssl_mode = self.configuration.secrets.get("ssl_mode", MySQLSSLMode.preferred)
+        return {
+            "ssl": {
+                "mode": ssl_mode,
+            }
+        }
+
     @staticmethod
     def cursor_result_to_rows(results: LegacyCursorResult) -> List[Row]:
         """

fides/api/service/connectors/saas_connector.py

@@ -4,6 +4,7 @@ from json import JSONDecodeError
 from typing import Any, Dict, List, Optional, Tuple, Union, cast
 
 import pydash
+from fideslang.validation import FidesKey
 from loguru import logger
 from requests import Response
 from sqlalchemy.orm import Session
@@ -18,7 +19,6 @@ from fides.api.common_exceptions import (
 from fides.api.graph.execution import ExecutionNode
 from fides.api.models.connectionconfig import ConnectionConfig, ConnectionTestStatus
 from fides.api.models.policy import Policy
-from fides.api.models.privacy_notice import UserConsentPreference
 from fides.api.models.privacy_request import PrivacyRequest, RequestTask
 from fides.api.schemas.consentable_item import (
     ConsentableItem,
@@ -687,15 +687,16 @@ class SaaSConnector(BaseConnector[AuthenticatedClient], Contextualizable):
 
         if notice_based_override_function:
             # follow the notice-based SaaS consent flow
-            notice_id_to_preference_map, filtered_preferences = (
-                build_user_consent_and_filtered_preferences_for_service(
-                    self.configuration.system,
-                    privacy_request,
-                    session,
-                    True,
-                )
+            (
+                notice_preference_map,
+                filtered_preferences,
+            ) = build_user_consent_and_filtered_preferences_for_service(
+                self.configuration.system,
+                privacy_request,
+                session,
+                True,
             )
-            if not notice_id_to_preference_map:
+            if not notice_preference_map:
                 logger.info(
                     "Skipping consent requests on node {}: No actionable consent preferences to propagate",
                     node.address.value,
@@ -723,12 +724,13 @@ class SaaSConnector(BaseConnector[AuthenticatedClient], Contextualizable):
                 )
             consent_propagation_status = self._invoke_consent_request_override(
                 notice_based_override_function,
+                self.configuration.key,
                 self.create_client(),
                 policy,
                 privacy_request,
                 self.secrets,
                 identity_data,
-                notice_id_to_preference_map,  # type: ignore[arg-type]
+                notice_preference_map,  # type: ignore[arg-type]
                 notice_based_consentable_item_hierarchy,
             )
             if consent_propagation_status == ConsentPropagationStatus.no_update_needed:
@@ -800,6 +802,7 @@ class SaaSConnector(BaseConnector[AuthenticatedClient], Contextualizable):
                     )
                     consent_propagation_status = self._invoke_consent_request_override(
                         override_function,
+                        self.configuration.key,
                         self.create_client(),
                         policy,
                         privacy_request,
@@ -997,12 +1000,13 @@ class SaaSConnector(BaseConnector[AuthenticatedClient], Contextualizable):
     @staticmethod
     def _invoke_consent_request_override(
         override_function: RequestOverrideFunction,
+        connection_key: FidesKey,
         client: AuthenticatedClient,
         policy: Policy,
         privacy_request: PrivacyRequest,
         secrets: Any,
         identity_data: Optional[Dict[str, Any]] = None,
-        notice_id_to_preference_map: Optional[Dict[str, UserConsentPreference]] = None,
+        notice_preference_map: Optional[Dict[str, Dict[str, Any]]] = None,
         consentable_items_hierarchy: Optional[List[ConsentableItem]] = None,
     ) -> ConsentPropagationStatus:
         """
@@ -1011,13 +1015,14 @@ class SaaSConnector(BaseConnector[AuthenticatedClient], Contextualizable):
         """
         try:
             logger.info("Invoking consent request override function...")
-            if notice_id_to_preference_map:
+            if notice_preference_map:
                 # At this point, we've already validated the override function signature to take these params
                 return override_function(
+                    connection_key,
                     client,
                     secrets,
                     identity_data,
-                    notice_id_to_preference_map,
+                    notice_preference_map,
                     consentable_items_hierarchy,
                 )  # type: ignore
             return override_function(

fides/api/service/saas_request/saas_request_override_factory.py

@@ -248,7 +248,7 @@ def validate_update_consent_function(f: Callable) -> None:
         )
     if len(sig.parameters) < 5:
         raise InvalidSaaSRequestOverrideException(
-            "Provided SaaS update consent function must declare at least 4 parameters"
+            "Provided SaaS update consent function must declare at least 5 parameters"
         )
 
 
@@ -258,9 +258,9 @@ def validate_process_consent_webhook_function(f: Callable) -> None:
         raise InvalidSaaSRequestOverrideException(
             "Provided SaaS process consent webhook function must return a ConsentWebhookResult"
         )
-    if len(sig.parameters) < 5:
+    if len(sig.parameters) < 4:
         raise InvalidSaaSRequestOverrideException(
-            "Provided SaaS process consent webhook function must declare at least 5 parameters"
+            "Provided SaaS process consent webhook function must declare at least 4 parameters"
         )
 
 

fides/api/service/storage/gcs.py

@@ -0,0 +1,38 @@
+from typing import Dict, Optional
+
+from google.cloud.storage import Client  # type: ignore
+from google.oauth2 import service_account
+from loguru import logger
+
+from fides.api.common_exceptions import StorageUploadError
+from fides.api.schemas.storage.storage import GCSAuthMethod
+
+
+def get_gcs_client(
+    auth_method: str,
+    storage_secrets: Optional[Dict],
+) -> Client:
+    """
+    Abstraction to retrieve a GCS client using secrets.
+    """
+    if auth_method == GCSAuthMethod.ADC.value:
+        storage_client = Client()
+
+    elif auth_method == GCSAuthMethod.SERVICE_ACCOUNT_KEYS.value:
+        if not storage_secrets:
+            err_msg = "Storage secrets not found for Google Cloud Storage."
+            logger.warning(err_msg)
+            raise StorageUploadError(err_msg)
+
+        credentials = service_account.Credentials.from_service_account_info(
+            dict(storage_secrets)
+        )
+        storage_client = Client(credentials=credentials)
+
+    else:
+        logger.error("Google Cloud Storage auth method not supported: {}", auth_method)
+        raise ValueError(
+            f"Google Cloud Storage auth method not supported: {auth_method}"
+        )
+
+    return storage_client

fides/api/service/storage/storage_authenticator_service.py

@@ -1,7 +1,12 @@
-from typing import Any, Dict, Union
+from typing import Any
 
 from botocore.exceptions import ClientError
+from google.auth.exceptions import GoogleAuthError
+from google.auth.transport.requests import Request
+from google.oauth2 import service_account
+from loguru import logger
 
+from fides.api.models.storage import StorageConfig
 from fides.api.schemas.storage.storage import (
     SUPPORTED_STORAGE_SECRETS,
     AWSAuthMethod,
@@ -13,32 +18,50 @@ from fides.api.util.aws_util import get_aws_session
 
 def secrets_are_valid(
     secrets: SUPPORTED_STORAGE_SECRETS,
-    storage_type: Union[StorageType, str],
+    storage_config: StorageConfig,
 ) -> bool:
     """Authenticates upload destination with appropriate upload method"""
-    if not isinstance(storage_type, StorageType):
-        # try to coerce into an enum
-        try:
-            storage_type = StorageType[storage_type]
-        except KeyError:
-            raise ValueError(
-                "storage_type argument must be a valid StorageType enum member."
-            )
-    uploader: Any = _get_authenticator_from_config(storage_type)
-    return uploader(secrets)
-
-
-def _s3_authenticator(secrets: Dict[StorageSecrets, Any]) -> bool:
+    uploader: Any = _get_authenticator_from_config(storage_config.type)  # type: ignore
+    return uploader(storage_config, secrets)
+
+
+def _s3_authenticator(
+    config: StorageConfig, secrets: dict[StorageSecrets, Any]
+) -> bool:
     """Authenticates secrets for s3, returns true if secrets are valid"""
     try:
-        get_aws_session(AWSAuthMethod.SECRET_KEYS.value, secrets.model_dump(mode="json"))  # type: ignore
+        get_aws_session(config.details["auth_method"] or AWSAuthMethod.SECRET_KEYS.value, secrets.model_dump(mode="json"))  # type: ignore
         return True
     except ClientError:
         return False
 
 
+def _gcs_authenticator(storage_config: StorageConfig, secrets: dict) -> bool:
+    """Autenticates secrets for Google Cloud Storage, returns true if secrets are valid"""
+    try:
+        credentials = service_account.Credentials.from_service_account_info(
+            dict(secrets),
+            scopes=["https://www.googleapis.com/auth/devstorage.read_only"],
+        )
+        # To validate the credentials, it is necessary to make a request to Google Cloud API
+        credentials.refresh(Request())
+        return True
+
+    except GoogleAuthError as auth_error:
+        logger.warning(
+            "Google authentication error trying to authenticate GCS secrets: {}",
+            auth_error,
+        )
+        return False
+
+    except Exception as e:
+        logger.warning("Unexpected error authenticating GCS secrets: {}", e)
+        return False
+
+
 def _get_authenticator_from_config(storage_type: StorageType) -> Any:
     """Determines which uploader method to use based on storage type"""
     return {
         StorageType.s3.value: _s3_authenticator,
+        StorageType.gcs.value: _gcs_authenticator,
     }[storage_type.value]

fides/api/service/storage/storage_uploader_service.py

@@ -14,7 +14,7 @@ from fides.api.schemas.storage.storage import (
     StorageDetails,
     StorageType,
 )
-from fides.api.tasks.storage import upload_to_local, upload_to_s3
+from fides.api.tasks.storage import upload_to_gcs, upload_to_local, upload_to_s3
 
 
 def upload(
@@ -78,6 +78,7 @@ def _get_uploader_from_config_type(storage_type: StorageType) -> Any:
     return {
         StorageType.s3.value: _s3_uploader,
         StorageType.local.value: _local_uploader,
+        StorageType.gcs.value: _gcs_uploader,
     }[storage_type.value]
 
 
@@ -106,6 +107,29 @@ def _s3_uploader(
     )
 
 
+def _gcs_uploader(
+    _: Session,
+    config: StorageConfig,
+    data: Dict,
+    privacy_request: PrivacyRequest,
+) -> str:
+    """Constructs necessary info needed for Google Cloud Storage before calling upload"""
+    file_key: str = _construct_file_key(privacy_request.id, config)
+
+    bucket_name = config.details[StorageDetails.BUCKET.value]
+    auth_method = config.details[StorageDetails.AUTH_METHOD.value]
+
+    return upload_to_gcs(
+        config.secrets,
+        data,
+        bucket_name,
+        file_key,
+        config.format.value,  # type: ignore
+        privacy_request,
+        auth_method,
+    )
+
+
 def _local_uploader(
     _: Session,
     config: StorageConfig,

fides/api/task/graph_task.py

@@ -125,16 +125,15 @@ def retry(
                     ActionDisabled,
                     NotSupportedForCollection,
                 ) as exc:
-                    traceback.print_exc()
                     logger.warning(
-                        "Skipping collection {} for privacy_request: {}",
+                        "{} - Skipping collection {} for privacy_request: {}",
+                        exc.__class__.__name__,
                         self.execution_node.address,
                         self.resources.request.id,
                     )
                     self.log_skipped(action_type, exc)
                     return default_return
                 except SkippingConsentPropagation as exc:
-                    traceback.print_exc()
                     logger.warning(
                         "Skipping consent propagation on collection {} for privacy_request: {}",
                         self.execution_node.address,

fides/api/tasks/storage.py

@@ -16,6 +16,7 @@ from fides.api.schemas.storage.storage import ResponseFormat, StorageSecrets
 from fides.api.service.privacy_request.dsr_package.dsr_report_builder import (
     DsrReportBuilder,
 )
+from fides.api.service.storage.gcs import get_gcs_client
 from fides.api.service.storage.s3 import (
     create_presigned_url_for_s3,
     generic_upload_to_s3,
@@ -64,7 +65,7 @@ def encrypt_access_request_results(data: Union[str, bytes], request_id: str) ->
 def write_to_in_memory_buffer(
     resp_format: str, data: Dict[str, Any], privacy_request: PrivacyRequest
 ) -> BytesIO:
-    """Write JSON/CSV data to in-memory file-like object to be passed to S3. Encrypt data if encryption key/nonce
+    """Write JSON/CSV data to in-memory file-like object to be passed to S3 or GCS. Encrypt data if encryption key/nonce
     has been cached for the given privacy request id
 
     :param resp_format: str, should be one of ResponseFormat
@@ -130,7 +131,11 @@ def upload_to_s3(  # pylint: disable=R0913
         raise ValueError("Privacy request must be provided")
 
     try:
-        s3_client = get_s3_client(auth_method, storage_secrets)
+        s3_client = get_s3_client(
+            auth_method,
+            storage_secrets,
+            assume_role_arn=CONFIG.credentials["storage"].get("aws_s3_assume_role_arn"),
+        )
 
         # handles file chunking
         try:
@@ -157,6 +162,49 @@ def upload_to_s3(  # pylint: disable=R0913
         raise ValueError(f"The parameters you provided are incorrect: {e}")
 
 
+def upload_to_gcs(
+    storage_secrets: Dict,
+    data: Dict,
+    bucket_name: str,
+    file_key: str,
+    resp_format: str,
+    privacy_request: PrivacyRequest,
+    auth_method: str,
+) -> str:
+    """Uploads access request data to a Google Cloud Storage bucket"""
+    logger.info("Starting Google Cloud Storage upload of {}", file_key)
+
+    try:
+        storage_client = get_gcs_client(auth_method, storage_secrets)
+        bucket = storage_client.bucket(bucket_name)
+
+        blob = bucket.blob(file_key)
+        in_memory_file = write_to_in_memory_buffer(resp_format, data, privacy_request)
+        content_type = {
+            ResponseFormat.json.value: "application/json",
+            ResponseFormat.csv.value: "application/zip",
+            ResponseFormat.html.value: "application/zip",
+        }
+        blob.upload_from_string(
+            in_memory_file.getvalue(), content_type=content_type[resp_format]
+        )
+
+        logger.info("File {} uploaded to {}", file_key, blob.public_url)
+
+        presigned_url = blob.generate_signed_url(
+            version="v4",
+            expiration=CONFIG.security.subject_request_download_link_ttl_seconds,
+            method="GET",
+        )
+        return presigned_url
+    except Exception as e:
+        logger.error(
+            "Encountered error while uploading and generating link for Google Cloud Storage object: {}",
+            e,
+        )
+        raise e
+
+
 def upload_to_local(
     data: Dict,
     file_key: str,

fides/api/util/aws_util.py

@@ -22,6 +22,10 @@ def get_aws_session(
     if storage_secrets is None:
         # set to an empty dict to allow for more dynamic code downstream
         storage_secrets = {}
+
+    stored_region_name = storage_secrets.get("region_name")  # type: ignore
+    stored_assume_role_arn: Optional[str] = storage_secrets.get("assume_role_arn")  # type: ignore
+
     if auth_method == AWSAuthMethod.SECRET_KEYS.value:
         if not storage_secrets:
             err_msg = "Storage secrets not found for S3 storage."
@@ -33,12 +37,10 @@ def get_aws_session(
             aws_secret_access_key=storage_secrets[
                 StorageSecrets.AWS_SECRET_ACCESS_KEY.value  # type: ignore
             ],
-            region_name=storage_secrets.get("region_name"),  # type: ignore
+            region_name=stored_region_name,
         )
     elif auth_method == AWSAuthMethod.AUTOMATIC.value:
-        session = Session(
-            region_name=storage_secrets.get("region_name"),  # type: ignore
-        )
+        session = Session(region_name=stored_region_name)
         logger.info("Successfully created automatic session")
     else:
         logger.error("AWS auth method not supported: {}", auth_method)
@@ -48,20 +50,13 @@ def get_aws_session(
     sts_client = session.client("sts")
     sts_client.get_caller_identity()
 
-    if assume_role_arn:
+    target_assume_role_arn = assume_role_arn or stored_assume_role_arn
+    if target_assume_role_arn:
         try:
-            response = sts_client.assume_role(
-                RoleArn=assume_role_arn, RoleSessionName="FidesAssumeRoleSession"
-            )
-            temp_credentials = response["Credentials"]
-            logger.info(
-                f"Assumed role {assume_role_arn} and got temporary credentials."
-            )
-            return Session(
-                aws_access_key_id=temp_credentials["AccessKeyId"],
-                aws_secret_access_key=temp_credentials["SecretAccessKey"],
-                aws_session_token=temp_credentials["SessionToken"],
-                region_name=storage_secrets.get("region_name"),  # type: ignore
+            return get_assumed_role_session(
+                target_assume_role_arn,
+                sts_client,
+                stored_region_name,
             )
         except ClientError as error:
             logger.exception(
@@ -72,6 +67,22 @@ def get_aws_session(
         return session
 
 
+def get_assumed_role_session(
+    assume_role_arn: str, sts_client: Any, region_name: Optional[str] = None
+) -> Session:
+    response = sts_client.assume_role(
+        RoleArn=assume_role_arn, RoleSessionName="FidesAssumeRoleSession"
+    )
+    temp_credentials = response["Credentials"]
+    logger.info(f"Assumed role {assume_role_arn} and got temporary credentials.")
+    return Session(
+        aws_access_key_id=temp_credentials["AccessKeyId"],
+        aws_secret_access_key=temp_credentials["SecretAccessKey"],
+        aws_session_token=temp_credentials["SessionToken"],
+        region_name=region_name,
+    )
+
+
 def get_s3_client(
     auth_method: str,
     storage_secrets: Optional[Dict[StorageSecrets, Any]],