Some tweaks

src/main/java/com/dtolabs/rundeck/plugin/resources/ec2/EC2ResourceModelSource.java

@@ -23,11 +23,8 @@
 */
 package com.dtolabs.rundeck.plugin.resources.ec2;
 
-import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.*;
 import com.amazonaws.ClientConfiguration;
-import com.amazonaws.auth.AWSCredentialsProvider;
-import com.amazonaws.auth.BasicAWSCredentials;
-import com.amazonaws.auth.BasicSessionCredentials;
 import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
 import com.amazonaws.services.securitytoken.model.*;
 import com.dtolabs.rundeck.core.common.*;
@@ -84,7 +81,10 @@ public class EC2ResourceModelSource implements ResourceModelSource {
     Future<INodeSet> futureResult = null;
     final Properties mapping = new Properties();
     final String assumeRoleArn;
+    final String assumeRoleArnCombinedWithExtId;
     AWSCredentialsProvider awsCredentialsProvider;
+
+    final String externalId;
     int pageResults;
 
     AWSCredentials credentials;
@@ -161,7 +161,8 @@ public EC2ResourceModelSource(final Properties configuration, final Services ser
         this.pageResults = Integer.parseInt(configuration.getProperty(EC2ResourceModelSourceFactory.MAX_RESULTS));
         this.httpProxyHost = configuration.getProperty(EC2ResourceModelSourceFactory.HTTP_PROXY_HOST);
         this.assumeRoleArn = configuration.getProperty(EC2ResourceModelSourceFactory.ROLE_ARN);
-        this.awsCredentialsProvider = provider;
+        this.assumeRoleArnCombinedWithExtId = configuration.getProperty(EC2ResourceModelSourceFactory.ROLE_ARN_COMBINED_WITH_EXT_ID);
+        this.externalId = configuration.getProperty(EC2ResourceModelSourceFactory.EXTERNAL_ID);
         int proxyPort = 80;
 
         final String proxyPortStr = configuration.getProperty(EC2ResourceModelSourceFactory.HTTP_PROXY_PORT);
@@ -229,28 +230,17 @@ private void initialize() {
         loadMapping();
 
         if (this.credentials == null) {
-            if(assumeRoleArn == null && this.awsCredentialsProvider != null){
-                this.credentials = this.awsCredentialsProvider.getCredentials();
-            } else if(assumeRoleArn != null) {
-                AWSSecurityTokenServiceClient sts_client;
-
-                if (this.awsCredentialsProvider != null) {
-                    sts_client = new AWSSecurityTokenServiceClient(this.awsCredentialsProvider, clientConfiguration);
-                } else {
-                    sts_client = new AWSSecurityTokenServiceClient(clientConfiguration);
+            if(this.externalId != null && this.assumeRoleArnCombinedWithExtId != null){
+                this.credentials = createAwsCredentials(null, this.assumeRoleArnCombinedWithExtId, this.externalId);
+            }
+
+            if(assumeRoleArn != null) {
+                AWSCredentialsProvider provider = null;
+                if(this.credentials != null){
+                    provider = new AWSStaticCredentialsProvider(credentials);
                 }
-                //        sts_client.setEndpoint("sts-endpoint.amazonaws.com");
-
-                AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
-                assumeRoleRequest.setRoleArn(assumeRoleArn);
-                assumeRoleRequest.setRoleSessionName("RundeckEC2ResourceModelSourceSession");
-                AssumeRoleResult assumeRoleResult = sts_client.assumeRole(assumeRoleRequest);
-                Credentials assumeCredentials = assumeRoleResult.getCredentials();
-                credentials = new BasicSessionCredentials(
-                        assumeCredentials.getAccessKeyId(),
-                        assumeCredentials.getSecretAccessKey(),
-                        assumeCredentials.getSessionToken()
-                );
+
+                credentials = createAwsCredentials(provider, assumeRoleArn, null);
             }
         }
 
@@ -261,6 +251,29 @@ private void initialize() {
         mapper.setRunningStateOnly(runningOnly);
     }
 
+    private AWSCredentials createAwsCredentials(AWSCredentialsProvider provider, String assumeRoleArn, String externalId) {
+        AWSSecurityTokenServiceClient sts_client;
+
+        if (provider != null) {
+            sts_client = new AWSSecurityTokenServiceClient(provider, clientConfiguration);
+        } else {
+            sts_client = new AWSSecurityTokenServiceClient(clientConfiguration);
+        }
+        //        sts_client.setEndpoint("sts-endpoint.amazonaws.com");
+        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
+        assumeRoleRequest.setRoleArn(assumeRoleArn);
+        if(externalId!=null){
+            assumeRoleRequest.setExternalId(externalId);
+        }
+        assumeRoleRequest.setRoleSessionName("RundeckEC2ResourceModelSourceSession");
+        AssumeRoleResult assumeRoleResult = sts_client.assumeRole(assumeRoleRequest);
+        Credentials assumeCredentials = assumeRoleResult.getCredentials();
+        return new BasicSessionCredentials(
+                assumeCredentials.getAccessKeyId(),
+                assumeCredentials.getSecretAccessKey(),
+                assumeCredentials.getSessionToken()
+        );
+    }
 
     public synchronized INodeSet getNodes() throws ResourceModelSourceException {
         checkFuture();

src/main/java/com/dtolabs/rundeck/plugin/resources/ec2/EC2ResourceModelSourceFactory.java

@@ -61,6 +61,8 @@ public class EC2ResourceModelSourceFactory implements ResourceModelSourceFactory
     public static final String SECRET_KEY = "secretKey";
     public static final String SECRET_KEY_STORAGE_PATH = "secretKeyStoragePath";
     public static final String ROLE_ARN = "assumeRoleArn";
+    public static final String ROLE_ARN_COMBINED_WITH_EXT_ID = "assumeRoleArnCombinedWithExternalId";
+    public static final String EXTERNAL_ID = "externalId";
     public static final String REGION = "region";
     public static final String MAPPING_FILE = "mappingFile";
     public static final String REFRESH_INTERVAL = "refreshInterval";