aws · aajtodd · Mar 16, 2023 · Feb 17, 2023 · Feb 27, 2023 · gdavison
@@ -0,0 +1,8 @@
+{
+    "id": "73865312-4e2a-43e0-ba61-89b0d31764e7",
+    "type": "bugfix",
+    "description": "Allow RoleARN to be set as functional option on STS WebIdentityRoleOptions. Fixes aws/aws-sdk-go-v2#2015.",
+    "modules": [
+        "config"
+    ]
+}
@@ -384,25 +384,36 @@ func assumeWebIdentity(ctx context.Context, cfg *aws.Config, filepath string, ro
 		return fmt.Errorf("token file path is not set")
 	}
 
-	if len(roleARN) == 0 {
-		return fmt.Errorf("role ARN is not set")
-	}
-
-	optFns := []func(*stscreds.WebIdentityRoleOptions){
-		func(options *stscreds.WebIdentityRoleOptions) {
-			options.RoleSessionName = sessionName
-		},
-	}
+	var optFns []func(*stscreds.WebIdentityRoleOptions)
 
 	optFn, found, err := getWebIdentityCredentialProviderOptions(ctx, configs)
 	if err != nil {
 		return err
 	}
+
 	if found {
 		optFns = append(optFns, optFn)
 	}
 
-	provider := stscreds.NewWebIdentityRoleProvider(sts.NewFromConfig(*cfg), roleARN, stscreds.IdentityTokenFile(filepath), optFns...)
+	opts := stscreds.WebIdentityRoleOptions{
+		RoleARN:         roleARN,
+		RoleSessionName: sessionName,
+	}
+
+	for _, fn := range optFns {
+		fn(&opts)
+	}
+
+	if len(opts.RoleARN) == 0 {
+		return fmt.Errorf("role ARN is not set")
+	}
+
+	client := opts.Client
+	if client == nil {
+		client = sts.NewFromConfig(*cfg)
+	}
+
+	provider := stscreds.NewWebIdentityRoleProvider(client, roleARN, stscreds.IdentityTokenFile(filepath), optFns...)
 
 	cfg.Credentials = provider
 

@@ -0,0 +1,63 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
+	"github.com/aws/aws-sdk-go-v2/internal/awstesting"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+// see https://github.com/aws/aws-sdk-go-v2/issues/2015
+func TestResolveWebIdentityWithOptions(t *testing.T) {
+
+	t.Run("token from env", func(t *testing.T) {
+		restoreEnv := initConfigTestEnv()
+		defer awstesting.PopEnv(restoreEnv)
+
+		var tokenFile = filepath.Join("testdata", "wit.txt")
+		os.Setenv("AWS_WEB_IDENTITY_TOKEN_FILE", tokenFile)
+		os.Setenv("AWS_REGION", "us-east-1")
+
+		config, err := LoadDefaultConfig(context.Background(),
+			WithWebIdentityRoleCredentialOptions(func(options *stscreds.WebIdentityRoleOptions) {
+				options.RoleARN = "test-arn"
+			}),
+		)
+
+		if err != nil {
+			t.Fatalf("expect no error, got %v", err)
+		}
+
+		fmt.Println(config.Credentials)
+
+	})
+
+	t.Run("token from profile", func(t *testing.T) {
+		// profile is still required to fully specify web identity properties for consistency with other SDKs/SEP
+		restoreEnv := initConfigTestEnv()
+		defer awstesting.PopEnv(restoreEnv)
+
+		var configFileForWindows = filepath.Join("testdata", "config_source_shared_for_windows")
+		var configFile = filepath.Join("testdata", "config_source_shared")
+
+		os.Setenv("AWS_REGION", "us-east-1")
+		os.Setenv("AWS_PROFILE", "webident-partial")
+
+		if runtime.GOOS == "windows" {
+			os.Setenv("AWS_CONFIG_FILE", configFileForWindows)
+		} else {
+			os.Setenv("AWS_CONFIG_FILE", configFile)
+		}
+
+		_, err := LoadDefaultConfig(context.Background())
+
+		if err == nil || !strings.Contains(err.Error(), "web_identity_token_file requires role_arn") {
+			t.Fatalf("expected profile parsing error, got %v", err)
+		}
+	})
+}
@@ -98,3 +98,6 @@ sso_region = us-west-2
 [profile webident]
 web_identity_token_file = ./testdata/wit.txt
 role_arn = webident_arn
+
+[profile webident-partial]
+web_identity_token_file = ./testdata/wit.txt
@@ -27,3 +27,6 @@ sso_start_url = https://127.0.0.1/start
 [profile webident]
 web_identity_token_file = .\testdata\wit.txt
 role_arn = webident_arn
+
+[profile webident-partial]
+web_identity_token_file = .\testdata\wit.txt