[plugins/aws][fix] Allow assuming role for org scraping (#1702)

someengineering · Jun 30, 2023 · 44f5ae1 · 44f5ae1
1 parent 2bd5057
commit 44f5ae1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/plugins/aws/resoto_plugin_aws/__init__.py b/plugins/aws/resoto_plugin_aws/__init__.py
@@ -566,7 +566,10 @@ def get_accounts(core_feedback: CoreFeedback) -> List[AwsAccount]:
 def get_org_accounts(
     filter_current_account: bool, profile: Optional[str], core_feedback: CoreFeedback, partition: Optional[str] = None
 ) -> List[str]:
-    session = aws_session(profile=profile, partition=partition)
+    scrape_org_role_arn = Config.aws.scrape_org_role_arn
+    if scrape_org_role_arn is not None and len(str(scrape_org_role_arn).strip()) == 0:
+        scrape_org_role_arn = None
+    session = aws_session(profile=profile, partition=partition, role_arn=scrape_org_role_arn)
     client = session.client("organizations")
     accounts = []
     try:

diff --git a/plugins/aws/resoto_plugin_aws/configuration.py b/plugins/aws/resoto_plugin_aws/configuration.py
@@ -156,6 +156,13 @@ class AwsConfig:
         metadata={"description": "List of AWS Regions to collect (null for all)"},
     )
     scrape_org: bool = field(default=False, metadata={"description": "Scrape the entire AWS organization"})
+    scrape_org_role_arn: Optional[str] = field(
+        default=None,
+        metadata={
+            "description": "Role ARN to assume when listing AWS org accounts. If set to null Resoto will use the"
+            " default credentials it was started with to call organizations:ListAccounts"
+        },
+    )
     fork_process: bool = field(
         default=True,
         metadata={

diff --git a/plugins/aws/resoto_plugin_aws/utils.py b/plugins/aws/resoto_plugin_aws/utils.py
@@ -45,15 +45,17 @@ def aws_session(
     role: Optional[str] = None,
     profile: Optional[str] = None,
     partition: Optional[str] = None,
+    role_arn: Optional[str] = None,
 ) -> BotoSession:
     if partition is None:
         partition = "aws"
     global_region = global_region_by_partition(partition)
 
     if Config.aws.role_override:
         role = Config.aws.role
-    if role and account:
-        role_arn = f"arn:{partition}:iam::{account}:role/{role}"
+    if (role and account) or role_arn:
+        if role_arn is None:
+            role_arn = f"arn:{partition}:iam::{account}:role/{role}"
         if profile:
             session = BotoSession(
                 profile_name=profile,