Skip to content

Commit

Permalink
Adds support for SourceIdentity to stscreds.AssumeRoleProvider (#…
Browse files Browse the repository at this point in the history
…1588)

Adds support for SourceIdentity to stscreds.AssumeRoleProvider. Fixes #1575
  • Loading branch information
gdavison authored Feb 22, 2022
1 parent d5c2270 commit aa5938d
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 0 deletions.
8 changes: 8 additions & 0 deletions .changelog/f443b2e713084bae9c8c8aaf4d94323e.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"id": "f443b2e7-1308-4bae-9c8c-8aaf4d94323e",
"type": "feature",
"description": "Adds support for `SourceIdentity` to `stscreds.AssumeRoleProvider` [#1588](https://github.com/aws/aws-sdk-go-v2/pull/1588). Fixes [#1575](https://github.com/aws/aws-sdk-go-v2/issues/1575)",
"modules": [
"credentials"
]
}
13 changes: 13 additions & 0 deletions credentials/stscreds/assume_role_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,18 @@ type AssumeRoleOptions struct {
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
SerialNumber *string

// The source identity specified by the principal that is calling the AssumeRole
// operation. You can require users to specify a source identity when they assume a
// role. You do this by using the sts:SourceIdentity condition key in a role trust
// policy. You can use source identity information in CloudTrail logs to determine
// who took actions with a role. You can use the aws:SourceIdentity condition key
// to further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see Monitor
// and control actions taken with assumed roles
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide.
SourceIdentity *string

// Async method of providing MFA token code for assuming an IAM role with MFA.
// The value returned by the function will be used as the TokenCode in the Retrieve
// call. See StdinTokenProvider for a provider that prompts and reads from stdin.
Expand Down Expand Up @@ -266,6 +278,7 @@ func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, err
RoleArn: aws.String(p.options.RoleARN),
RoleSessionName: aws.String(p.options.RoleSessionName),
ExternalId: p.options.ExternalID,
SourceIdentity: p.options.SourceIdentity,
Tags: p.options.Tags,
TransitiveTagKeys: p.options.TransitiveTagKeys,
}
Expand Down
30 changes: 30 additions & 0 deletions credentials/stscreds/assume_role_provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,36 @@ func TestAssumeRoleProvider_MFAWithNoToken(t *testing.T) {
}
}

func TestAssumeRoleProvider_WithSourceIdentity(t *testing.T) {
const sourceIdentity = "Source-Identity"

stub := &mockAssumeRole{
TestInput: func(in *sts.AssumeRoleInput) {
if e, a := sourceIdentity, *in.SourceIdentity; e != a {
t.Fatalf("expect %v, got %v", e, a)
}
},
}
p := stscreds.NewAssumeRoleProvider(stub, roleARN, func(options *stscreds.AssumeRoleOptions) {
options.SourceIdentity = aws.String(sourceIdentity)
})

creds, err := p.Retrieve(context.Background())
if err != nil {
t.Fatalf("Expect no error, %v", err)
}

if e, a := roleARN, creds.AccessKeyID; e != a {
t.Errorf("Expect access key ID to be reflected role ARN")
}
if e, a := "assumedSecretAccessKey", creds.SecretAccessKey; e != a {
t.Errorf("Expect secret access key to match")
}
if e, a := "assumedSessionToken", creds.SessionToken; e != a {
t.Errorf("Expect session token to match")
}
}

func TestAssumeRoleProvider_WithTags(t *testing.T) {
stub := &mockAssumeRole{
TestInput: func(in *sts.AssumeRoleInput) {
Expand Down

0 comments on commit aa5938d

Please sign in to comment.