Support AWS ARN role

README.md

@@ -18,6 +18,7 @@ resources:
   source:
     access_key_id: {{aws-access-key}}
     secret_access_key: {{aws-secret-key}}
+    aws_role_arn: arn:aws:iam::{{s3_account_id}}:role/{{s3_user}}
     bucket: {{aws-bucket}}
     path: [<optional>, use to sync to a specific path of the bucket instead of root of bucket]
     change_dir_to: [<optional, see note below>]
@@ -32,7 +33,7 @@ jobs:
 
 ## AWS Credentials
 
-The `access_key_id` and `secret_access_key` are optional and if not provided the EC2 Metadata service will be queried for role based credentials.
+The `access_key_id`, `secret_access_key` and `aws_role_arn` are optional and if not provided the EC2 Metadata service will be queried for role based credentials.
 
 ## change_dir_to
 

assets/check

@@ -8,6 +8,7 @@ set -e
 payload=`cat`
 bucket=$(echo "$payload" | jq -r '.source.bucket')
 prefix="$(echo "$payload" | jq -r '.source.path // ""')"
+role=$(echo "$payload" | jq -r '.source.aws_role_arn // empty')
 
 # export for `aws` cli
 AWS_ACCESS_KEY_ID=$(echo "$payload" | jq -r '.source.access_key_id // empty')
@@ -18,6 +19,15 @@ AWS_DEFAULT_REGION=$(echo "$payload" | jq -r '.source.region // empty')
 if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then
   export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
   export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+  if [ -n "$role" ]; then
+    session_name=$(date +%s)
+    export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
+    $(aws sts assume-role \
+    --role-arn $role \
+    --role-session-name $session_name \
+    --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+    --output text))
+  fi
 fi
 
 # Export AWS_DEFAULT_REGION if set

assets/in

@@ -19,6 +19,7 @@ payload=`cat`
 bucket=$(echo "$payload" | jq -r '.source.bucket')
 path=$(echo "$payload" | jq -r '.source.path // ""')
 options=$(echo "$payload" | jq -r '.source.options // [] | join(" ")')
+role=$(echo "$payload" | jq -r '.source.aws_role_arn // empty')
 
 # export for `aws` cli
 AWS_ACCESS_KEY_ID=$(echo "$payload" | jq -r '.source.access_key_id // empty')
@@ -29,6 +30,15 @@ AWS_DEFAULT_REGION=$(echo "$payload" | jq -r '.source.region // empty')
 if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then
   export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
   export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+  if [ -n "$role" ]; then
+    session_name=$(date +%s)
+    export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
+    $(aws sts assume-role \
+    --role-arn $role \
+    --role-session-name $session_name \
+    --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+    --output text))
+  fi
 fi
 
 # Export AWS_DEFAULT_REGION if set

assets/out

@@ -22,6 +22,7 @@ bucket=$(echo "$payload" | jq -r '.source.bucket')
 path=$(echo "$payload" | jq -r '.source.path // ""')
 options=$(echo "$payload" | jq -r '.source.options // [] | join(" ")')
 change_dir_to=$(echo "$payload" | jq -r '.source.change_dir_to // "." ')
+role=$(echo "$payload" | jq -r '.source.aws_role_arn // empty')
 
 # export for `aws` cli
 AWS_ACCESS_KEY_ID=$(echo "$payload" | jq -r '.source.access_key_id // empty')
@@ -32,6 +33,15 @@ AWS_DEFAULT_REGION=$(echo "$payload" | jq -r '.source.region // empty')
 if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then
   export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
   export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+  if [ -n "$role" ]; then
+    session_name=$(date +%s)
+    export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
+    $(aws sts assume-role \
+    --role-arn $role \
+    --role-session-name $session_name \
+    --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+    --output text))
+  fi
 fi
 
 # re-enable trace since we're done interacting with sensitive values