Support assume role external ID in STSProfileCredentialsProvider.

aws · Jan 26, 2024 · 9ba0d7d · 9ba0d7d
1 parent 592b3df
commit 9ba0d7d
Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/...-identity-management/include/aws/identity-management/auth/STSProfileCredentialsProvider.h b/...-identity-management/include/aws/identity-management/auth/STSProfileCredentialsProvider.h
@@ -106,8 +106,13 @@ namespace Aws
              * Returns the assumed role credentials or empty credentials on error.
              */
             AWSCredentials GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleARN);
+            /**
+             * Assumes a role given its ARN. Communication with STS is done through the provided credentials.
+             * Returns the assumed role credentials or empty credentials on error.
+             */
+            AWSCredentials GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleARN, const Aws::String& externalId);
         private:
-            AWSCredentials GetCredentialsFromSTSInternal(const Aws::String& roleArn, Aws::STS::STSClient* client);
+            AWSCredentials GetCredentialsFromSTSInternal(const Aws::String& roleArn, const Aws::String& externalId, Aws::STS::STSClient* client);
 
             Aws::String m_profileName;
             AWSCredentials m_credentials;

diff --git a/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp b/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp
@@ -316,8 +316,9 @@ void STSProfileCredentialsProvider::Reload()
         }
 
         // get the role arn from the profile at the top of the stack (which hasn't been popped out yet)
-        const auto arn = sourceProfiles.back()->second.GetRoleArn();
-        const auto& assumedCreds = GetCredentialsFromSTS(stsCreds, arn);
+        const auto& arn = sourceProfiles.back()->second.GetRoleArn();
+        const auto& externalId = sourceProfiles.back()->second.GetExternalId();
+        const auto& assumedCreds = GetCredentialsFromSTS(stsCreds, arn, externalId);
         sourceProfiles.back()->second.SetCredentials(assumedCreds);
     }
 
@@ -331,14 +332,18 @@ void STSProfileCredentialsProvider::Reload()
     AWSCredentialsProvider::Reload();
 }
 
-AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(const Aws::String& roleArn, Aws::STS::STSClient* client)
+AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(const Aws::String& roleArn, const Aws::String& externalId, Aws::STS::STSClient* client)
 {
     using namespace Aws::STS::Model;
     AssumeRoleRequest assumeRoleRequest;
     assumeRoleRequest
         .WithRoleArn(roleArn)
         .WithRoleSessionName(Aws::Utils::UUID::PseudoRandomUUID())
         .WithDurationSeconds(static_cast<int>(std::chrono::seconds(m_duration).count()));
+    if (!externalId.empty())
+    {
+        assumeRoleRequest.SetExternalId(externalId);
+    }
     auto outcome = client->AssumeRole(assumeRoleRequest);
     if (outcome.IsSuccess())
     {
@@ -356,13 +361,18 @@ AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(cons
 }
 
 AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleArn)
+{
+    return GetCredentialsFromSTS(credentials, roleArn, "");
+}
+
+AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleArn, const Aws::String& externalId)
 {
     using namespace Aws::STS::Model;
     if (m_stsClientFactory) {
         auto client = m_stsClientFactory(credentials);
-        return GetCredentialsFromSTSInternal(roleArn, client.get());
+        return GetCredentialsFromSTSInternal(roleArn, externalId, client.get());
     }
 
     Aws::STS::STSClient stsClient {credentials};
-    return GetCredentialsFromSTSInternal(roleArn, &stsClient);
+    return GetCredentialsFromSTSInternal(roleArn, externalId, &stsClient);
 }