add support for passing externalID to assume role

[jeffmhastings]

It is common practice to require an "external ID" when making cross-account calls to STS assume role. This adds an optional "--external-id"/"-e"argument to the token command. When included it is passed in the AssumeRoleProvider.

Issue: #209

[k8s-ci-robot]

Welcome @jeffmhastings!

It looks like this is your first PR to kubernetes-sigs/aws-iam-authenticator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-iam-authenticator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[jeffmhastings]

/assign @nckturner

[christopherhein]

@jeffmhastings sorry for the delayed review on this. My one concern with how it was implemented is it will break clients like https://github.com/weaveworks/eksctl wonder if we can do this so it wouldn’t potentially adding a new func entirely and having the original funcs calling it? @errordeveloper and @nckturner definitely good to have your eyes on this

[jeffmhastings]

Yeah that makes sense. Adding a function or two could work if you don't anticipate needing to add more in the future. Though at that point the API might start to get a bit confusing.

We could consider using an options struct or options funcs (like stscreds.NewCredentials).

GetWithOptions(options GetTokenOptions) seems like it might be the simplest and most flexible.

Anyway I'm open to whatever you all think is best.

[jeffmhastings]

I took a stab at refactoring to use an options struct. This shouldn't break the existing API.

[jeffmhastings]

/retest

[k8s-ci-robot]

@jeffmhastings: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[christopherhein]

/ok-to-test

[christopherhein]

/retest

[jeffmhastings]

It doesn't seem like it actually re-ran the tests with the /retest command. That travis failure is from 11 days ago.

[nckturner]

/lgtm

[nckturner]

This looks great to me, @micahhausler can you take a quick look and we'll get this merged?

[micahhausler]

I like this refactor. Thanks!

[nckturner]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jeffmhastings, nckturner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nckturner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[AmitNahMesh]

Hey, I Have the same issue as well.
Could you let me know if you found a solution for this? @jeffmhastings
Here or at [email protected]
Thanks!

[jeffmhastings]

@AmitNahMesh I'm not sure I understand what issue you're having. Since this was merged you can now pass an external ID to the aws-iam-authenticator token command

aws-iam-authenticator token --help
Authenticate using AWS IAM and get token for Kubernetes

Usage:
  aws-iam-authenticator token [flags]

Flags:
      --cache                  Cache the credential on disk until it expires. Uses the aws profile specified by AWS_PROFILE or the default profile.
  -e, --external-id string     External ID to pass when assuming the IAM Role
      --forward-session-name   Enable mapping a federated sessions caller-specified-role-name attribute onto newly assumed sessions. NOTE: Only applicable when a new role is requested via --role
  -h, --help                   help for token
      --region string          AWS region to use for assume role calls
  -r, --role string            Assume an IAM Role ARN before signing this token
  -s, --session-name string    Session name to pass when assuming the IAM Role
      --token-only             Return only the token for use with Bearer token based tools

Global Flags:
  -i, --cluster-id ID                 Specify the cluster ID, a unique-per-cluster identifier for your aws-iam-authenticator installation.
  -c, --config filename               Load configuration from filename
      --feature-gates mapStringBool   A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
                                      AllAlpha=true|false (ALPHA - default=false)
                                      AllBeta=true|false (BETA - default=false)
                                      ConfiguredInitDirectories=true|false (ALPHA - default=false)
                                      IAMIdentityMappingCRD=true|false (ALPHA - default=false)
  -l, --log-format string             Specify log format to use when logging to stderr [text or json] (default "text")