Add external_id support for AWS role assumption

sigv4.go

@@ -99,7 +99,15 @@ func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundT
 	}
 
 	if cfg.RoleARN != "" {
-		awscfg.Credentials = stscreds.NewAssumeRoleProvider(sts.NewFromConfig(awscfg), cfg.RoleARN)
+		awscfg.Credentials = stscreds.NewAssumeRoleProvider(
+			sts.NewFromConfig(awscfg),
+			cfg.RoleARN,
+			func(o *stscreds.AssumeRoleOptions) {
+				if cfg.ExternalID != "" {
+					o.ExternalID = aws.String(cfg.ExternalID)
+				}
+			},
+		)
 	}
 
 	serviceName := "aps"

sigv4_config.go

@@ -28,6 +28,7 @@ type SigV4Config struct { //nolint:revive
 	SecretKey          config.Secret `yaml:"secret_key,omitempty"`
 	Profile            string        `yaml:"profile,omitempty"`
 	RoleARN            string        `yaml:"role_arn,omitempty"`
+	ExternalID         string        `yaml:"external_id,omitempty"`
 	UseFIPSSTSEndpoint bool          `yaml:"use_fips_sts_endpoint,omitempty"`
 	ServiceName        string        `yaml:"service_name,omitempty"`
 }
@@ -36,6 +37,9 @@ func (c *SigV4Config) Validate() error {
 	if (c.AccessKey == "") != (c.SecretKey == "") {
 		return fmt.Errorf("must provide a AWS SigV4 Access key and Secret Key if credentials are specified in the SigV4 config")
 	}
+	if c.ExternalID != "" && c.RoleARN == "" {
+		return fmt.Errorf("external_id can only be used with role_arn")
+	}
 	return nil
 }
 

sigv4_config_test.go

@@ -49,12 +49,32 @@ func TestGoodSigV4Configs(t *testing.T) {
 }
 
 func TestBadSigV4Config(t *testing.T) {
-	filename := "testdata/sigv4_bad.yaml"
-	_, err := loadSigv4Config(filename)
-	if err == nil {
-		t.Fatalf("Did not receive expected error unmarshaling bad sigv4 config")
+	tc := []struct {
+		name          string
+		filename      string
+		expectedError string
+	}{
+		{
+			name:          "missing secret key",
+			filename:      "testdata/sigv4_bad.yaml",
+			expectedError: "must provide a AWS SigV4 Access key and Secret Key",
+		},
+		{
+			name:          "external_id without role_arn",
+			filename:      "testdata/sigv4_bad_external_id.yaml",
+			expectedError: "external_id can only be used with role_arn",
+		},
 	}
-	if !strings.Contains(err.Error(), "must provide a AWS SigV4 Access key and Secret Key") {
-		t.Errorf("Received unexpected error from unmarshal of %s: %s", filename, err.Error())
+
+	for _, tt := range tc {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := loadSigv4Config(tt.filename)
+			if err == nil {
+				t.Fatalf("Did not receive expected error unmarshaling bad sigv4 config")
+			}
+			if !strings.Contains(err.Error(), tt.expectedError) {
+				t.Errorf("Received unexpected error from unmarshal of %s: %s", tt.filename, err.Error())
+			}
+		})
 	}
 }

testdata/sigv4_bad_external_id.yaml

@@ -0,0 +1,4 @@
+region: us-east-2
+access_key: AccessKey
+secret_key: SecretKey
+external_id: external123

testdata/sigv4_good.yaml

@@ -3,5 +3,6 @@ access_key: AccessKey
 secret_key: SecretKey
 profile: profile
 role_arn: blah:role/arn
+external_id: external123
 use_fips_sts_endpoint: true
 service_name: test