Could not authenticate with assumed target role

[shiresky]

Describe the bug
I installed aws-servicebroker chart v1.0.2 on EKS cluster overriding aws.targetrolename setting role name that has permissions sufficient for broker functioning:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<bucket name>/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": "arn:aws:dynamodb:<region>:<account id>:table/<table name>",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:<region>:<account id>:parameter/asb-*",
                "arn:aws:ssm:<region>:<account id>:parameter/Asb*"
            ],
            "Effect": "Allow"
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:PutParameter",
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:<region>:<account id>:parameter/asb-*",
                "arn:aws:ssm:<region>:<account id>:parameter/Asb*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket name>/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:UpdateStack",
                "cloudformation:CancelUpdateStack"
            ],
            "Resource": "arn:aws:cloudformation:<region>:<account id>:stack/aws-service-broker-*/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "athena:*",
                "dynamodb:*",
                "kms:*",
                "elasticache:*",
                "elasticmapreduce:*",
                "kinesis:*",
                "rds:*",
                "redshift:*",
                "route53:*",
                "s3:*",
                "sns:*",
                "sns:*",
                "sqs:*",
                "ec2:*",
                "iam:*",
                "lambda:*",
                "codecommit:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

EC2 instance role where broker is scheduled allows to assume the target role (sts:AssumeRole).
Despite that broker was not able to read templates from bucket.
I added s3 permissions to EC2 instance role and after that there was an error mesage about lack of permissions to write data into dynamodb.
I added dynamodb permissions to EC2 instance role and after that broker got up.
Looks like broker ignores aws.targetrolename setting. It also visible in logs:

I0402 05:53:06.278954       1 util.go:195] Did not find 'aws_access_key' and 'aws_secret_key' in params, using default chain.
I0402 05:53:06.279039       1 aws_sdk.go:71] Parameter 'target_role_name' not set. Not assuming role.
I0402 05:53:06.279103       1 util.go:195] Did not find 'aws_access_key' and 'aws_secret_key' in params, using default chain.
I0402 05:53:06.279130       1 aws_sdk.go:71] Parameter 'target_role_name' not set. Not assuming role.
I0402 05:53:06.754827       1 awsbroker.go:36] Running as caller identity '{
  Account: "<account id>",
  Arn: "arn:aws:sts::<account id>:assumed-role/<EC2 instance role>/<EC2 instance id>",
  UserId: "<id>"
}'.
I0402 05:53:06.754932       1 util.go:91] "awsservicebroker_all_all_all_region"="<region>"
I0402 05:53:06.754940       1 util.go:91] "awsservicebroker_all_all_all_VpcId"="<vpc id>"
I0402 05:53:06.754947       1 util.go:91] "awsservicebroker_all_all_all_target_role_name"="<target role>"
I0402 05:53:06.754967       1 awsbroker.go:174] Listing objects bucket: <bucket> region: <region> prefix: <dir>
I0402 05:53:06.826370       1 awsbroker.go:193] Found 1b objects

If I understand broker code correctly it works in such a way because of line:

aws-servicebroker/pkg/broker/awsbroker.go

Line 26 in d5eed7c

sess := awssess(o.KeyID, o.SecretKey, o.Region, "", o.Profile, map[string]string{})

There is hardcoded empty parameters map passed into a function that creates a session (and produces "Parameter 'target_role_name' not set. Not assuming role." message).

I think it is a bug but if I understand configuring broker incorrectly please correct me :)

To Reproduce

• create roles like described above
• configure ec2 instance role without s3 and dynamodb permissions
• install aws-servicebroker chart overriding aws.targetrolename

Expected behavior
Broker uses role defined via aws.targetrolename parameter for reading templates from s3 bucket and saving data in dynamodb instead of ec2 instance role.

Environment (please complete the following information):

• Application Platform: EKS
• Application Platform Version: v1.19.6-eks-49a6c0
• Broker Version: 1.0.2