Adds support for SourceIdentity to stscreds.AssumeRoleProvider (#…

…1588) Adds support for SourceIdentity to stscreds.AssumeRoleProvider. Fixes #1575
aws · Feb 22, 2022 · aa5938d · aa5938d
1 parent d5c2270
commit aa5938d
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 0 deletions.
diff --git a/.changelog/f443b2e713084bae9c8c8aaf4d94323e.json b/.changelog/f443b2e713084bae9c8c8aaf4d94323e.json
@@ -0,0 +1,8 @@
+{
+    "id": "f443b2e7-1308-4bae-9c8c-8aaf4d94323e",
+    "type": "feature",
+    "description": "Adds support for `SourceIdentity` to `stscreds.AssumeRoleProvider` [#1588](https://github.com/aws/aws-sdk-go-v2/pull/1588). Fixes [#1575](https://github.com/aws/aws-sdk-go-v2/issues/1575)",
+    "modules": [
+        "credentials"
+    ]
+}
diff --git a/credentials/stscreds/assume_role_provider.go b/credentials/stscreds/assume_role_provider.go
@@ -208,6 +208,18 @@ type AssumeRoleOptions struct {
 	// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
 	SerialNumber *string
 
+	// The source identity specified by the principal that is calling the AssumeRole
+	// operation. You can require users to specify a source identity when they assume a
+	// role. You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. You can use source identity information in CloudTrail logs to determine
+	// who took actions with a role. You can use the aws:SourceIdentity condition key
+	// to further control access to Amazon Web Services resources based on the value of
+	// source identity. For more information about using source identity, see Monitor
+	// and control actions taken with assumed roles
+	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// in the IAM User Guide.
+	SourceIdentity *string
+
 	// Async method of providing MFA token code for assuming an IAM role with MFA.
 	// The value returned by the function will be used as the TokenCode in the Retrieve
 	// call. See StdinTokenProvider for a provider that prompts and reads from stdin.
@@ -266,6 +278,7 @@ func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, err
 		RoleArn:           aws.String(p.options.RoleARN),
 		RoleSessionName:   aws.String(p.options.RoleSessionName),
 		ExternalId:        p.options.ExternalID,
+		SourceIdentity:    p.options.SourceIdentity,
 		Tags:              p.options.Tags,
 		TransitiveTagKeys: p.options.TransitiveTagKeys,
 	}

diff --git a/credentials/stscreds/assume_role_provider_test.go b/credentials/stscreds/assume_role_provider_test.go
@@ -145,6 +145,36 @@ func TestAssumeRoleProvider_MFAWithNoToken(t *testing.T) {
 	}
 }
 
+func TestAssumeRoleProvider_WithSourceIdentity(t *testing.T) {
+	const sourceIdentity = "Source-Identity"
+
+	stub := &mockAssumeRole{
+		TestInput: func(in *sts.AssumeRoleInput) {
+			if e, a := sourceIdentity, *in.SourceIdentity; e != a {
+				t.Fatalf("expect %v, got %v", e, a)
+			}
+		},
+	}
+	p := stscreds.NewAssumeRoleProvider(stub, roleARN, func(options *stscreds.AssumeRoleOptions) {
+		options.SourceIdentity = aws.String(sourceIdentity)
+	})
+
+	creds, err := p.Retrieve(context.Background())
+	if err != nil {
+		t.Fatalf("Expect no error, %v", err)
+	}
+
+	if e, a := roleARN, creds.AccessKeyID; e != a {
+		t.Errorf("Expect access key ID to be reflected role ARN")
+	}
+	if e, a := "assumedSecretAccessKey", creds.SecretAccessKey; e != a {
+		t.Errorf("Expect secret access key to match")
+	}
+	if e, a := "assumedSessionToken", creds.SessionToken; e != a {
+		t.Errorf("Expect session token to match")
+	}
+}
+
 func TestAssumeRoleProvider_WithTags(t *testing.T) {
 	stub := &mockAssumeRole{
 		TestInput: func(in *sts.AssumeRoleInput) {