From cd02d87522029def9d4e518e919e96c3a69d8ec9 Mon Sep 17 00:00:00 2001 From: Jerome Vizcaino Date: Thu, 2 Aug 2018 16:32:06 +0200 Subject: [PATCH] aws: allow external ID for sts:AssumeRole to be provided during `sts/*` updates --- builtin/logical/aws/path_sts.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/builtin/logical/aws/path_sts.go b/builtin/logical/aws/path_sts.go index a6944768274e..98ebaa861638 100644 --- a/builtin/logical/aws/path_sts.go +++ b/builtin/logical/aws/path_sts.go @@ -16,6 +16,10 @@ func pathSTS(b *backend) *framework.Path { Type: framework.TypeString, Description: "Name of the role", }, + "external_id": &framework.FieldSchema{ + Type: framework.TypeString, + Description: "External ID to include in STS assume role call", + }, "ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, Description: `Lifetime of the token in seconds. @@ -55,10 +59,17 @@ func (b *backend) pathSTSRead(ctx context.Context, req *logical.Request, d *fram // Use sts:AssumeRole if role.ARN != "" { + // Try using provided external ID first + externalID := d.Get("external_id").(string) + if externalID == "" { + // Fall back to external ID store with role, if any + externalID = role.ExternalID + } + return b.assumeRole( ctx, req.Storage, - req.DisplayName, name, role.ARN, role.ExternalID, + req.DisplayName, name, role.ARN, externalID, ttl, ) }