AWS: Allow STS AssumeRole with external_id

Allow users to provide an external_id at assumerole creds generation time.
DataDog · Sep 7, 2018 · 2087459 · 2087459
1 parent 8575f8f
commit 2087459
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/builtin/logical/aws/path_user.go b/builtin/logical/aws/path_user.go
@@ -31,6 +31,10 @@ func pathUser(b *backend) *framework.Path {
 				Description: "Lifetime of the returned credentials in seconds",
 				Default:     3600,
 			},
+			"external_id": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "STS external ID",
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -58,6 +62,7 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr
 
 	ttl := int64(d.Get("ttl").(int))
 	roleArn := d.Get("role_arn").(string)
+	externalId := d.Get("external_id").(string)
 
 	var credentialType string
 	switch {
@@ -103,7 +108,7 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr
 		case !strutil.StrListContains(role.RoleArns, roleArn):
 			return logical.ErrorResponse(fmt.Sprintf("role_arn %q not in allowed role arns for Vault role %q", roleArn, roleName)), nil
 		}
-		return b.assumeRole(ctx, req.Storage, req.DisplayName, roleName, roleArn, role.PolicyDocument, ttl)
+		return b.assumeRole(ctx, req.Storage, req.DisplayName, roleName, roleArn, role.PolicyDocument, externalId, ttl)
 	case federationTokenCred:
 		return b.secretTokenCreate(ctx, req.Storage, req.DisplayName, roleName, role.PolicyDocument, ttl)
 	default:

diff --git a/builtin/logical/aws/secret_access_keys.go b/builtin/logical/aws/secret_access_keys.go
@@ -110,7 +110,7 @@ func (b *backend) secretTokenCreate(ctx context.Context, s logical.Storage,
 }
 
 func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
-	displayName, roleName, roleArn, policy string,
+	displayName, roleName, roleArn, policy, externalId string,
 	lifeTimeInSeconds int64) (*logical.Response, error) {
 	STSClient, err := clientSTS(ctx, s)
 	if err != nil {
@@ -127,6 +127,9 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
 	if policy != "" {
 		assumeRoleInput.SetPolicy(policy)
 	}
+	if externalId != "" {
+		assumeRoleInput.SetExternalId(externalId)
+	}
 	tokenResp, err := STSClient.AssumeRole(assumeRoleInput)
 
 	if err != nil {