Merge pull request #42 from dmyates/assumerole-externalid

Add ExternalID support to assume-role ingestion

cli.py

@@ -124,11 +124,13 @@ def handle_ingest(args):
 
         if args.role_to_assume:
 
-            assumed_role = session.client('sts').assume_role(
-                RoleArn=args.role_to_assume,
-                RoleSessionName=f"awspx",
-                DurationSeconds=args.role_to_assume_duration
-            )["Credentials"]
+            assume_role_args = {"RoleArn": args.role_to_assume,
+                                "RoleSessionName": "awspx",
+                                "DurationSeconds": args.role_to_assume_duration,
+                                **dict({"ExternalId": args.role_to_assume_external_id} if args.role_to_assume_external_id else {})
+                                }
+
+            assumed_role = session.client('sts').assume_role(**assume_role_args)["Credentials"]
 
             session = boto3.session.Session(
                 aws_access_key_id=assumed_role["AccessKeyId"],
@@ -287,6 +289,8 @@ def attack(name):
                      help="ARN of a role to assume for ingestion (useful for cross-account ingestion).")
     pnr.add_argument('--assume-role-duration', dest='role_to_assume_duration', type=int, default=3600,
                      help="Maximum session duration in seconds (for --assume-role).")
+    pnr.add_argument('--assume-role-external-id', dest='role_to_assume_external_id',
+                     help="External ID for the role to assume.")
     pnr.add_argument('--region', dest='region', default="eu-west-1", choices=Profile.regions,
                      help="Region to ingest (defaults to profile region, or `eu-west-1` if not set).")
     pnr.add_argument('--database', dest='database', default=None,