diff --git a/.changelog/f443b2e713084bae9c8c8aaf4d94323e.json b/.changelog/f443b2e713084bae9c8c8aaf4d94323e.json new file mode 100644 index 00000000000..78f2392dd36 --- /dev/null +++ b/.changelog/f443b2e713084bae9c8c8aaf4d94323e.json @@ -0,0 +1,8 @@ +{ + "id": "f443b2e7-1308-4bae-9c8c-8aaf4d94323e", + "type": "feature", + "description": "Adds support for `SourceIdentity` to `stscreds.AssumeRoleProvider` [#1588](https://github.com/aws/aws-sdk-go-v2/pull/1588). Fixes [#1575](https://github.com/aws/aws-sdk-go-v2/issues/1575)", + "modules": [ + "credentials" + ] +} \ No newline at end of file diff --git a/credentials/stscreds/assume_role_provider.go b/credentials/stscreds/assume_role_provider.go index 3cafa4811b5..f8c1ae6acba 100644 --- a/credentials/stscreds/assume_role_provider.go +++ b/credentials/stscreds/assume_role_provider.go @@ -208,6 +208,18 @@ type AssumeRoleOptions struct { // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). SerialNumber *string + // The source identity specified by the principal that is calling the AssumeRole + // operation. You can require users to specify a source identity when they assume a + // role. You do this by using the sts:SourceIdentity condition key in a role trust + // policy. You can use source identity information in CloudTrail logs to determine + // who took actions with a role. You can use the aws:SourceIdentity condition key + // to further control access to Amazon Web Services resources based on the value of + // source identity. For more information about using source identity, see Monitor + // and control actions taken with assumed roles + // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // in the IAM User Guide. + SourceIdentity *string + // Async method of providing MFA token code for assuming an IAM role with MFA. // The value returned by the function will be used as the TokenCode in the Retrieve // call. See StdinTokenProvider for a provider that prompts and reads from stdin. @@ -266,6 +278,7 @@ func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, err RoleArn: aws.String(p.options.RoleARN), RoleSessionName: aws.String(p.options.RoleSessionName), ExternalId: p.options.ExternalID, + SourceIdentity: p.options.SourceIdentity, Tags: p.options.Tags, TransitiveTagKeys: p.options.TransitiveTagKeys, } diff --git a/credentials/stscreds/assume_role_provider_test.go b/credentials/stscreds/assume_role_provider_test.go index 0cf9739ebd6..142a4cfb8fd 100644 --- a/credentials/stscreds/assume_role_provider_test.go +++ b/credentials/stscreds/assume_role_provider_test.go @@ -145,6 +145,36 @@ func TestAssumeRoleProvider_MFAWithNoToken(t *testing.T) { } } +func TestAssumeRoleProvider_WithSourceIdentity(t *testing.T) { + const sourceIdentity = "Source-Identity" + + stub := &mockAssumeRole{ + TestInput: func(in *sts.AssumeRoleInput) { + if e, a := sourceIdentity, *in.SourceIdentity; e != a { + t.Fatalf("expect %v, got %v", e, a) + } + }, + } + p := stscreds.NewAssumeRoleProvider(stub, roleARN, func(options *stscreds.AssumeRoleOptions) { + options.SourceIdentity = aws.String(sourceIdentity) + }) + + creds, err := p.Retrieve(context.Background()) + if err != nil { + t.Fatalf("Expect no error, %v", err) + } + + if e, a := roleARN, creds.AccessKeyID; e != a { + t.Errorf("Expect access key ID to be reflected role ARN") + } + if e, a := "assumedSecretAccessKey", creds.SecretAccessKey; e != a { + t.Errorf("Expect secret access key to match") + } + if e, a := "assumedSessionToken", creds.SessionToken; e != a { + t.Errorf("Expect session token to match") + } +} + func TestAssumeRoleProvider_WithTags(t *testing.T) { stub := &mockAssumeRole{ TestInput: func(in *sts.AssumeRoleInput) {