Skip to content

Commit

Permalink
aws: allow external ID for sts:AssumeRole to be provided during `sts/…
Browse files Browse the repository at this point in the history
…*` updates
  • Loading branch information
j-vizcaino committed Aug 2, 2018
1 parent ed97b49 commit cd02d87
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion builtin/logical/aws/path_sts.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ func pathSTS(b *backend) *framework.Path {
Type: framework.TypeString,
Description: "Name of the role",
},
"external_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: "External ID to include in STS assume role call",
},
"ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: `Lifetime of the token in seconds.
Expand Down Expand Up @@ -55,10 +59,17 @@ func (b *backend) pathSTSRead(ctx context.Context, req *logical.Request, d *fram

// Use sts:AssumeRole
if role.ARN != "" {
// Try using provided external ID first
externalID := d.Get("external_id").(string)
if externalID == "" {
// Fall back to external ID store with role, if any
externalID = role.ExternalID
}

return b.assumeRole(
ctx,
req.Storage,
req.DisplayName, name, role.ARN, role.ExternalID,
req.DisplayName, name, role.ARN, externalID,
ttl,
)
}
Expand Down

0 comments on commit cd02d87

Please sign in to comment.