Support IAM Assume Role as access method

library/Aws/AssumeRole.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Icinga\Module\Aws;
+
+class AssumeRole
+{
+    protected $arn;
+
+    protected $session;
+
+    public static function create($arn, $session)
+    {
+        $assumeRole = new static();
+
+        $assumeRole->arn = $arn;
+        $assumeRole->session = $session;
+
+        return $assumeRole;
+    }
+
+    public function getParams()
+    {
+        return [
+            'RoleArn'         => $this->arn,
+            'RoleSessionName' => $this->session
+        ];
+    }
+}

library/Aws/AwsClient.php

@@ -3,7 +3,11 @@
 namespace Icinga\Module\Aws;
 
 use Aws\Api\DateTimeResult;
+use Aws\Credentials\AssumeRoleCredentialProvider;
+use Aws\Credentials\CredentialProvider;
+use Aws\Credentials\InstanceProfileProvider;
 use Aws\Sdk;
+use Aws\Sts\StsClient;
 use Icinga\Application\Config;
 
 class AwsClient
@@ -17,7 +21,7 @@ class AwsClient
      */
     protected $sdk;
 
-    public function __construct(AwsKey $key = null, $region)
+    public function __construct($key = null, $region)
     {
         $this->region = $region;
         $this->key = $key;
@@ -265,6 +269,14 @@ protected function initializeSdk()
 
         if ($this->key instanceof AwsKey) {
             $params['credentials'] = $this->key->getCredentials();
+        } else if ($this->key instanceof AssumeRole) {
+            $assumeRoleCredentials = new AssumeRoleCredentialProvider([
+                'client' => new StsClient($params + [
+                    'credentials' => new InstanceProfileProvider()
+                ]),
+                'assume_role_params' => $this->key->getParams()
+            ]);
+            $params['credentials'] = CredentialProvider::memoize($assumeRoleCredentials);
         }
 
         $config = Config::module('aws');

library/Aws/ProvidedHook/Director/ImportSource.php

@@ -2,6 +2,8 @@
 
 namespace Icinga\Module\Aws\ProvidedHook\Director;
 
+use Icinga\Module\Aws\AssumeRole;
+use Icinga\Module\Director\Forms\ImportSourceForm;
 use Icinga\Module\Director\Hook\ImportSourceHook;
 use Icinga\Module\Director\Web\Form\QuickForm;
 use Icinga\Module\Aws\AwsClient;
@@ -25,7 +27,11 @@ public function fetchData()
         $key = null;
 
         if ($keyName) {
-            $key = AwsKey::loadByName($keyName);
+            if ($keyName === 'IAM assume role') {
+                $key = AssumeRole::create($this->getSetting('iam_assume_role'), 'director');
+            } else {
+                $key = AwsKey::loadByName($keyName);
+            }
         }
 
         $client = new AwsClient($key, $this->getSetting('aws_region'));
@@ -158,15 +164,27 @@ public static function addSettingsFormFields(QuickForm $form)
             'label'        => 'AWS access method',
             'required'     => false,
             'description'  => $form->translate(
-                'Use IAM role credential or select your AWS key. This shows all keys from your keys.ini.'
+                'Use IAM role credential, assume role or select your AWS key.'
+                . ' This shows all keys from your keys.ini.'
                 . ' Please check the documentation if you miss the keys in the list.'
             ),
-            'multiOptions' => $form->optionalEnum(AwsKey::enumKeyNames(), $form->translate(
+            'multiOptions' => $form->optionalEnum(
+                AwsKey::enumKeyNames()
+                    + ['IAM assume role' => $form->translate('IAM assume role')],
+                $form->translate(
                 'IAM role credentials'
             )),
             'class'        => 'autosubmit',
         ));
 
+        /** @var ImportSourceForm $form */
+        if ($form->getSentOrObjectSetting('aws_access_key') === 'IAM assume role') {
+            $form->addElement('text', 'iam_assume_role', [
+                'label'    => 'Assume role',
+                'required' => true
+            ]);
+        }
+
         $form->addElement('select', 'object_type', array(
             'label'        => 'Object type',
             'required'     => true,