Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SourceIdentity to stscreds.NewCredentials #4830

Merged
merged 1 commit into from
May 18, 2023
Merged

Add support for SourceIdentity to stscreds.NewCredentials #4830

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 8 additions & 4 deletions aws/credentials/stscreds/assume_role_provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ to refresh the credentials will be synchronized. But, the SDK is unable to
ensure synchronous usage of the AssumeRoleProvider if the value is shared
between multiple Credentials, Sessions or service clients.

Assume Role
# Assume Role
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seem to be getting added by gofmt? I am not sure why these wouldn't already be present, but I did confirm that gofmt wants to add these now


To assume an IAM role using STS with the SDK you can create a new Credentials
with the SDKs's stscreds package.
Expand All @@ -27,7 +27,7 @@ with the SDKs's stscreds package.
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})

Assume Role with static MFA Token
# Assume Role with static MFA Token

To assume an IAM role with a MFA token you can either specify a MFA token code
directly or provide a function to prompt the user each time the credentials
Expand All @@ -49,7 +49,7 @@ credentials.
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})

Assume Role with MFA Token Provider
# Assume Role with MFA Token Provider

To assume an IAM role with MFA for longer running tasks where the credentials
may need to be refreshed setting the TokenProvider field of AssumeRoleProvider
Expand All @@ -74,7 +74,6 @@ single Credentials with an AssumeRoleProvider can be shared safely.
// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})

*/
package stscreds

Expand Down Expand Up @@ -199,6 +198,10 @@ type AssumeRoleProvider struct {
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
SerialNumber *string

// The SourceIdentity which is used to identity a persistent identity through the whole session.
// For more details see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string

// The value provided by the MFA device, if the trust policy of the role being
// assumed requires MFA (that is, if the policy includes a condition that tests
// for MFA). If the role being assumed requires MFA and if the TokenCode value
Expand Down Expand Up @@ -320,6 +323,7 @@ func (p *AssumeRoleProvider) RetrieveWithContext(ctx credentials.Context) (crede
Tags: p.Tags,
PolicyArns: p.PolicyArns,
TransitiveTagKeys: p.TransitiveTagKeys,
SourceIdentity: p.SourceIdentity,
}
if p.Policy != nil {
input.Policy = p.Policy
Expand Down