From 488e489097885d7c8b1ff9aae1b38a6a0aaef909 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Thu, 28 Sep 2023 13:40:01 -0600 Subject: [PATCH 1/3] feat: support external id parameter for AWS --- pkg/credentials/assume_role.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/credentials/assume_role.go b/pkg/credentials/assume_role.go index 1c73d1008..f311ad758 100644 --- a/pkg/credentials/assume_role.go +++ b/pkg/credentials/assume_role.go @@ -101,6 +101,7 @@ type STSAssumeRoleOptions struct { // Optional only valid if using with AWS STS RoleARN string RoleSessionName string + ExternalId string } // NewSTSAssumeRole returns a pointer to a new @@ -161,6 +162,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume if opts.Policy != "" { v.Set("Policy", opts.Policy) } + if opts.ExternalId != "" { + v.Set("ExternalId", opts.ExternalId) + } u, err := url.Parse(endpoint) if err != nil { From a0fbe90b50e9ef47b14bbc3af5577b377093432f Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Thu, 28 Sep 2023 13:49:29 -0600 Subject: [PATCH 2/3] fix: casing --- pkg/credentials/assume_role.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/credentials/assume_role.go b/pkg/credentials/assume_role.go index f311ad758..4f49feb2a 100644 --- a/pkg/credentials/assume_role.go +++ b/pkg/credentials/assume_role.go @@ -101,7 +101,7 @@ type STSAssumeRoleOptions struct { // Optional only valid if using with AWS STS RoleARN string RoleSessionName string - ExternalId string + ExternalID string } // NewSTSAssumeRole returns a pointer to a new @@ -162,8 +162,8 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume if opts.Policy != "" { v.Set("Policy", opts.Policy) } - if opts.ExternalId != "" { - v.Set("ExternalId", opts.ExternalId) + if opts.ExternalID != "" { + v.Set("ExternalId", opts.ExternalID) } u, err := url.Parse(endpoint) From 0c00fd6963c8714ea2d2e264b70da8f6daae2daf Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Thu, 28 Sep 2023 14:38:54 -0600 Subject: [PATCH 3/3] add: support session token --- pkg/credentials/assume_role.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/credentials/assume_role.go b/pkg/credentials/assume_role.go index 4f49feb2a..800c4a294 100644 --- a/pkg/credentials/assume_role.go +++ b/pkg/credentials/assume_role.go @@ -93,7 +93,8 @@ type STSAssumeRoleOptions struct { AccessKey string SecretKey string - Policy string // Optional to assign a policy to the assumed role + SessionToken string // Optional if the first request is made with temporary credentials. + Policy string // Optional to assign a policy to the assumed role Location string // Optional commonly needed with AWS STS. DurationSeconds int // Optional defaults to 1 hour. @@ -185,6 +186,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume } req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(hash.Sum(nil))) + if opts.SessionToken != "" { + req.Header.Set("X-Amz-Security-Token", opts.SessionToken) + } req = signer.SignV4STS(*req, opts.AccessKey, opts.SecretKey, opts.Location) resp, err := clnt.Do(req)