Merge pull request #311 from wlami/assume-role-source-identity

Support STS AssumeRole SourceIdentity value

Author: gdavison

aws_config_test.go

@@ -208,6 +208,25 @@ func TestGetAwsConfig(t *testing.T) {
 				servicemocks.MockStsGetCallerIdentityValidEndpoint,
 			},
 		},
+		{
+			Config: &Config{
+				AccessKey: servicemocks.MockStaticAccessKey,
+				AssumeRole: &AssumeRole{
+					RoleARN:        servicemocks.MockStsAssumeRoleArn,
+					SessionName:    servicemocks.MockStsAssumeRoleSessionName,
+					SourceIdentity: servicemocks.MockStsAssumeRoleSourceIdentity,
+				},
+				Region:    "us-east-1",
+				SecretKey: servicemocks.MockStaticSecretKey,
+			},
+			Description:              "config AssumeRoleSourceIdentity",
+			ExpectedCredentialsValue: mockdata.MockStsAssumeRoleCredentials,
+			ExpectedRegion:           "us-east-1",
+			MockStsEndpoints: []*servicemocks.MockEndpoint{
+				servicemocks.MockStsAssumeRoleValidEndpointWithOptions(map[string]string{"SourceIdentity": servicemocks.MockStsAssumeRoleSourceIdentity}),
+				servicemocks.MockStsGetCallerIdentityValidEndpoint,
+			},
+		},
 		{
 			Config: &Config{
 				Profile: "SharedCredentialsProfile",

credentials.go

@@ -202,7 +202,7 @@ func assumeRoleCredentialsProvider(ctx context.Context, awsConfig aws.Config, c
 	}
 
 	// When assuming a role, we need to first authenticate the base credentials above, then assume the desired role
-	log.Printf("[INFO] Assuming IAM Role %q (SessionName: %q, ExternalId: %q)", ar.RoleARN, ar.SessionName, ar.ExternalID)
+	log.Printf("[INFO] Assuming IAM Role %q (SessionName: %q, ExternalId: %q, SourceIdentity: %q)", ar.RoleARN, ar.SessionName, ar.ExternalID, ar.SourceIdentity)
 
 	client := stsClient(awsConfig, c)
 
@@ -238,6 +238,10 @@ func assumeRoleCredentialsProvider(ctx context.Context, awsConfig aws.Config, c
 		if len(ar.TransitiveTagKeys) > 0 {
 			opts.TransitiveTagKeys = ar.TransitiveTagKeys
 		}
+
+		if ar.SourceIdentity != "" {
+			opts.SourceIdentity = aws.String(ar.SourceIdentity)
+		}
 	})
 	_, err := appCreds.Retrieve(ctx)
 	if err != nil {

internal/config/config.go

@@ -48,6 +48,7 @@ type AssumeRole struct {
 	Policy            string
 	PolicyARNs        []string
 	SessionName       string
+	SourceIdentity    string
 	Tags              map[string]string
 	TransitiveTagKeys []string
 }

servicemocks/mock.go

@@ -51,6 +51,7 @@ const (
 	MockStsAssumeRoleSecretKey         = `AssumeRoleSecretKey`
 	MockStsAssumeRoleSessionName       = `AssumeRoleSessionName`
 	MockStsAssumeRoleSessionToken      = `AssumeRoleSessionToken`
+	MockStsAssumeRoleSourceIdentity    = `AssumeRoleSourceIdentity`
 	MockStsAssumeRoleTagKey            = `AssumeRoleTagKey`
 	MockStsAssumeRoleTagValue          = `AssumeRoleTagValue`
 	MockStsAssumeRoleTransitiveTagKey  = `AssumeRoleTagKey`

v2/awsv1shim/session_test.go

@@ -254,6 +254,25 @@ func TestGetSession(t *testing.T) {
 				servicemocks.MockStsGetCallerIdentityValidEndpoint,
 			},
 		},
+		{
+			Config: &awsbase.Config{
+				AccessKey: servicemocks.MockStaticAccessKey,
+				AssumeRole: &awsbase.AssumeRole{
+					RoleARN:        servicemocks.MockStsAssumeRoleArn,
+					SessionName:    servicemocks.MockStsAssumeRoleSessionName,
+					SourceIdentity: servicemocks.MockStsAssumeRoleSourceIdentity,
+				},
+				Region:    "us-east-1",
+				SecretKey: servicemocks.MockStaticSecretKey,
+			},
+			Description:              "config AssumeRoleSourceIdentity",
+			ExpectedCredentialsValue: mockdata.MockStsAssumeRoleCredentials,
+			ExpectedRegion:           "us-east-1",
+			MockStsEndpoints: []*servicemocks.MockEndpoint{
+				servicemocks.MockStsAssumeRoleValidEndpointWithOptions(map[string]string{"SourceIdentity": servicemocks.MockStsAssumeRoleSourceIdentity}),
+				servicemocks.MockStsGetCallerIdentityValidEndpoint,
+			},
+		},
 		{
 			Config: &awsbase.Config{
 				Profile: "SharedCredentialsProfile",