aws/session: Add Assume role for credential process from aws profile

aws/session/credentials.go

@@ -64,11 +64,15 @@ func resolveCredsFromProfile(cfg *aws.Config,
 		), nil
 
 	} else if len(sharedCfg.CredentialProcess) > 0 {
-		// Credential Process credentials from Shared Config/Credentials file.
-		return processcreds.NewCredentials(
-			sharedCfg.CredentialProcess,
-		), nil
-
+		//Get credentials from CredentialProcess
+		cred := processcreds.NewCredentials(sharedCfg.CredentialProcess)
+		//if RoleARN is provided, so the obtained cred from the Credential Process to assume the role using RoleARN
+		if len(sharedCfg.AssumeRole.RoleARN) > 0 {
+			cfgCp := *cfg
+			cfgCp.Credentials = cred
+			return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts)
+		}
+		return cred, nil
 	} else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 {
 		// Assume IAM Role with specific credential source.
 		return resolveCredsFromSource(cfg, envCfg, sharedCfg, handlers, sessOpts)

aws/session/credentials_test.go

@@ -51,7 +51,7 @@ func setupCredentialsEndpoints(t *testing.T) (endpoints.Resolver, func()) {
 			w.Write([]byte(fmt.Sprintf(
 				assumeRoleRespMsg,
 				time.Now().
-					Add(15*time.Minute).
+					Add(15 * time.Minute).
 					Format("2006-01-02T15:04:05Z"))))
 		}))
 
@@ -145,12 +145,37 @@ func TestSharedConfigCredentialSource(t *testing.T) {
 				"assume_role_w_creds_role_arn_ec2",
 			},
 		},
+		{
+			name:              "credential process with no ARN set",
+			profile:           "cred_proc_no_arn_set",
+			expectedAccessKey: "accesskey",
+			expectedSecretKey: "secretkey",
+		},
+		{
+			name:              "credential process with ARN set",
+			profile:           "cred_proc_arn_set",
+			expectedAccessKey: "AKID",
+			expectedSecretKey: "SECRET",
+			expectedChain: [] string{
+				"assume_role_w_creds_proc_role_arn",
+			},
+		},
+		{
+			name:              "chained assume role with credential process",
+			profile:           "chained_cred_proc",
+			expectedAccessKey: "AKID",
+			expectedSecretKey: "SECRET",
+			expectedChain: [] string{
+				"assume_role_w_creds_proc_source_prof",
+			},
+		},
 	}
 
 	for i, c := range cases {
 		t.Run(fmt.Sprintf("%d %s", i, c.name),
 			func(t *testing.T) {
-				env := awstesting.StashEnv()
+				//Pass in arguments to retain certain environment variable values.
+				env := awstesting.StashEnv("PATH", "ComSpec", "SYSTEM32")
 				defer awstesting.PopEnv(env)
 
 				os.Setenv("AWS_REGION", "us-east-1")
@@ -262,7 +287,7 @@ func TestSessionAssumeRole(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte(fmt.Sprintf(
 			assumeRoleRespMsg,
-			time.Now().Add(15*time.Minute).Format("2006-01-02T15:04:05Z"))))
+			time.Now().Add(15 * time.Minute).Format("2006-01-02T15:04:05Z"))))
 	}))
 
 	s, err := NewSession(&aws.Config{
@@ -310,7 +335,7 @@ func TestSessionAssumeRole_WithMFA(t *testing.T) {
 
 		w.Write([]byte(fmt.Sprintf(
 			assumeRoleRespMsg,
-			time.Now().Add(15*time.Minute).Format("2006-01-02T15:04:05Z"))))
+			time.Now().Add(15 * time.Minute).Format("2006-01-02T15:04:05Z"))))
 	}))
 
 	customProviderCalled := false
@@ -440,7 +465,7 @@ func TestSessionAssumeRole_ExtendedDuration(t *testing.T) {
 
 		w.Write([]byte(fmt.Sprintf(
 			assumeRoleRespMsg,
-			time.Now().Add(15*time.Minute).Format("2006-01-02T15:04:05Z"))))
+			time.Now().Add(15 * time.Minute).Format("2006-01-02T15:04:05Z"))))
 	}))
 
 	s, err := NewSessionWithOptions(Options{
@@ -493,7 +518,7 @@ func TestSessionAssumeRole_WithMFA_ExtendedDuration(t *testing.T) {
 
 		w.Write([]byte(fmt.Sprintf(
 			assumeRoleRespMsg,
-			time.Now().Add(30*time.Minute).Format("2006-01-02T15:04:05Z"))))
+			time.Now().Add(30 * time.Minute).Format("2006-01-02T15:04:05Z"))))
 	}))
 
 	customProviderCalled := false
@@ -536,4 +561,4 @@ func TestSessionAssumeRole_WithMFA_ExtendedDuration(t *testing.T) {
 	if e, a := "AssumeRoleProvider", creds.ProviderName; !strings.Contains(a, e) {
 		t.Errorf("expect %v, to contain %v", e, a)
 	}
-}
+}

aws/session/shared_config.go

@@ -167,7 +167,8 @@ func (cfg *sharedConfig) setAssumeRoleSource(origProfile string, files []sharedC
 	}
 
 	if cfg.AssumeRole.SourceProfile == origProfile || len(assumeRoleSrc.AssumeRole.SourceProfile) == 0 {
-		if len(assumeRoleSrc.AssumeRole.CredentialSource) == 0 && len(assumeRoleSrc.Creds.AccessKeyID) == 0 {
+		//Check if at least either Credential Source, static creds, or credential process is set to retain credentials.
+		if len(assumeRoleSrc.AssumeRole.CredentialSource) == 0 && len(assumeRoleSrc.Creds.AccessKeyID) == 0 && len(assumeRoleSrc.CredentialProcess) == 0{
 			return SharedConfigAssumeRoleError{RoleARN: cfg.AssumeRole.RoleARN}
 		}
 	}
@@ -226,7 +227,9 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile) e
 	roleArn := section.String(roleArnKey)
 	srcProfile := section.String(sourceProfileKey)
 	credentialSource := section.String(credentialSourceKey)
-	hasSource := len(srcProfile) > 0 || len(credentialSource) > 0
+	credentialProcess := section.String(credentialProcessKey)
+	//Has source to make sure the Assume Role has at least either srcProfile, credential Source, or credential Process.
+	hasSource := len(srcProfile) > 0 || len(credentialSource) > 0 || len(credentialProcess) >0
 	if len(roleArn) > 0 && hasSource {
 		cfg.AssumeRole = assumeRoleConfig{
 			RoleARN:          roleArn,

aws/session/testdata/credential_source_config

@@ -18,3 +18,16 @@ credential_source = EcsContainer
 [chained_assume_role]
 role_arn = assume_role_w_creds_role_arn_chain
 source_profile = ec2metadata
+
+[cred_proc_no_arn_set]
+credential_process = echo "{\"Version\": 1, \"AccessKeyId\": \"accesskey\", \"SecretAccessKey\": \"secretkey\"}"
+
+[cred_proc_arn_set]
+role_arn = assume_role_w_creds_proc_role_arn
+credential_process = echo "{\"Version\": 1, \"AccessKeyId\": \"accesskey\", \"SecretAccessKey\": \"secretkey\"}"
+
+[chained_cred_proc]
+role_arn = assume_role_w_creds_proc_source_prof
+source_profile = cred_proc_no_arn_set
+
+

awstesting/util.go

@@ -95,13 +95,30 @@ func (c *FakeContext) Value(key interface{}) interface{} {
 	return nil
 }
 
-// StashEnv stashes the current environment variables and returns an array of
-// all environment values as key=val strings.
-func StashEnv() []string {
-	env := os.Environ()
-	os.Clearenv()
+// StashEnv stashes the current environment variables except variables listed in envToKeep
+// Returns an array of all environment values as key=val strings.
+func StashEnv(envToKeep ...string) []string {
+
+	extraEnv := getEnvs(envToKeep)
+
+	originalEnv := os.Environ()
+	os.Clearenv() //clear env
+
+	for key, val := range extraEnv {
+		os.Setenv(key, val)
+	}
 
-	return env
+	return originalEnv
+}
+
+func getEnvs(envs []string) map[string]string {
+	extraEnvs := make(map[string]string)
+	for _, env := range envs {
+		if val, ok := os.LookupEnv(env); ok && len(val) > 0 {
+			extraEnvs[env] = val
+		}
+	}
+	return extraEnvs
 }
 
 // PopEnv takes the list of the environment values and injects them into the