Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support External Id and Session Token #1887

Merged
merged 3 commits into from
Oct 11, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion pkg/credentials/assume_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,14 +93,16 @@ type STSAssumeRoleOptions struct {
AccessKey string
SecretKey string

Policy string // Optional to assign a policy to the assumed role
SessionToken string // Optional if the first request is made with temporary credentials.
Policy string // Optional to assign a policy to the assumed role

Location string // Optional commonly needed with AWS STS.
DurationSeconds int // Optional defaults to 1 hour.

// Optional only valid if using with AWS STS
RoleARN string
RoleSessionName string
ExternalID string
}

// NewSTSAssumeRole returns a pointer to a new
Expand Down Expand Up @@ -161,6 +163,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
if opts.Policy != "" {
v.Set("Policy", opts.Policy)
}
if opts.ExternalID != "" {
v.Set("ExternalId", opts.ExternalID)
}

u, err := url.Parse(endpoint)
if err != nil {
Expand All @@ -181,6 +186,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(hash.Sum(nil)))
if opts.SessionToken != "" {
req.Header.Set("X-Amz-Security-Token", opts.SessionToken)
}
req = signer.SignV4STS(*req, opts.AccessKey, opts.SecretKey, opts.Location)

resp, err := clnt.Do(req)
Expand Down
Loading