route53: pass ExternalID property to STS:AssumeRole API operation (#1918)

2023-05-26 22:26:40 +02:00 · 2023-05-26 22:26:40 +02:00 · 8d8a3c1ccd
commit 8d8a3c1ccd
parent 9bd5890c40
2 changed files with 10 additions and 2 deletions
--- a/providers/dns/route53/route53.go
+++ b/providers/dns/route53/route53.go
@ -30,6 +30,7 @@ const (
 	EnvHostedZoneID    = envNamespace + "HOSTED_ZONE_ID"
 	EnvMaxRetries      = envNamespace + "MAX_RETRIES"
 	EnvAssumeRoleArn   = envNamespace + "ASSUME_ROLE_ARN"
+	EnvExternalID      = envNamespace + "EXTERNAL_ID"

 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
@ -48,6 +49,7 @@ type Config struct {
 	HostedZoneID  string
 	MaxRetries    int
 	AssumeRoleArn string
+	ExternalID    string

 	TTL                int
 	PropagationTimeout time.Duration
@ -62,6 +64,7 @@ func NewDefaultConfig() *Config {
 		HostedZoneID:  env.GetOrFile(EnvHostedZoneID),
 		MaxRetries:    env.GetOrDefaultInt(EnvMaxRetries, 5),
 		AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""),
+		ExternalID:    env.GetOrDefaultString(EnvExternalID, ""),

 		TTL:                env.GetOrDefaultInt(EnvTTL, 10),
 		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
@ -337,8 +340,12 @@ func createSession(config *Config) (*session.Session, error) {
 	}

 	return session.NewSession(&aws.Config{
-		Region:      sess.Config.Region,
-		Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn),
+		Region: sess.Config.Region,
+		Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn, func(arp *stscreds.AssumeRoleProvider) {
+			if config.ExternalID != "" {
+				arp.ExternalID = &config.ExternalID
+			}
+		}),
 	})
 }

--- a/providers/dns/route53/route53.toml
+++ b/providers/dns/route53/route53.toml
@ -130,6 +130,7 @@ Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with
    AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)"
    AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
    AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)"
+    AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)"
  [Configuration.Additional]
    AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
    AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"