diff --git a/.gitignore b/.gitignore index e968c3ad323..20bb0ab57fb 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ Release *# *.iml tags +.vs .vscode # CI Artifacts diff --git a/src/aws-cpp-sdk-identity-management/include/aws/identity-management/auth/STSProfileCredentialsProvider.h b/src/aws-cpp-sdk-identity-management/include/aws/identity-management/auth/STSProfileCredentialsProvider.h index 4b90bb01ec7..871238deec4 100644 --- a/src/aws-cpp-sdk-identity-management/include/aws/identity-management/auth/STSProfileCredentialsProvider.h +++ b/src/aws-cpp-sdk-identity-management/include/aws/identity-management/auth/STSProfileCredentialsProvider.h @@ -67,8 +67,13 @@ namespace Aws * Returns the assumed role credentials or empty credentials on error. */ AWSCredentials GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleARN); + /** + * Assumes a role given its ARN. Communication with STS is done through the provided credentials. + * Returns the assumed role credentials or empty credentials on error. + */ + AWSCredentials GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleARN, const Aws::String& externalId); private: - AWSCredentials GetCredentialsFromSTSInternal(const Aws::String& roleArn, Aws::STS::STSClient* client); + AWSCredentials GetCredentialsFromSTSInternal(const Aws::String& roleArn, const Aws::String& externalId, Aws::STS::STSClient* client); Aws::String m_profileName; AWSCredentials m_credentials; diff --git a/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp b/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp index fd82b678fba..28f050bbaff 100644 --- a/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp +++ b/src/aws-cpp-sdk-identity-management/source/auth/STSProfileCredentialsProvider.cpp @@ -294,8 +294,9 @@ void STSProfileCredentialsProvider::Reload() } // get the role arn from the profile at the top of the stack (which hasn't been popped out yet) - const auto arn = sourceProfiles.back()->second.GetRoleArn(); - const auto& assumedCreds = GetCredentialsFromSTS(stsCreds, arn); + const auto& arn = sourceProfiles.back()->second.GetRoleArn(); + const auto& externalId = sourceProfiles.back()->second.GetExternalId(); + const auto& assumedCreds = GetCredentialsFromSTS(stsCreds, arn, externalId); sourceProfiles.back()->second.SetCredentials(assumedCreds); } @@ -309,7 +310,7 @@ void STSProfileCredentialsProvider::Reload() AWSCredentialsProvider::Reload(); } -AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(const Aws::String& roleArn, Aws::STS::STSClient* client) +AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(const Aws::String& roleArn, const Aws::String& externalId, Aws::STS::STSClient* client) { using namespace Aws::STS::Model; AssumeRoleRequest assumeRoleRequest; @@ -317,6 +318,10 @@ AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(cons .WithRoleArn(roleArn) .WithRoleSessionName(Aws::Utils::UUID::PseudoRandomUUID()) .WithDurationSeconds(static_cast(std::chrono::seconds(m_duration).count())); + if (!externalId.empty()) + { + assumeRoleRequest.SetExternalId(externalId); + } auto outcome = client->AssumeRole(assumeRoleRequest); if (outcome.IsSuccess()) { @@ -334,12 +339,17 @@ AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTSInternal(cons } AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleArn) +{ + return GetCredentialsFromSTS(credentials, roleArn, ""); +} + +AWSCredentials STSProfileCredentialsProvider::GetCredentialsFromSTS(const AWSCredentials& credentials, const Aws::String& roleArn, const Aws::String& externalId) { using namespace Aws::STS::Model; if (m_stsClientFactory) { - return GetCredentialsFromSTSInternal(roleArn, m_stsClientFactory(credentials)); + return GetCredentialsFromSTSInternal(roleArn, externalId m_stsClientFactory(credentials)); } Aws::STS::STSClient stsClient {credentials}; - return GetCredentialsFromSTSInternal(roleArn, &stsClient); + return GetCredentialsFromSTSInternal(roleArn, externalId, &stsClient); }