diff --git a/providers/dns/route53/route53.go b/providers/dns/route53/route53.go index df504cbd..3a69b2ef 100644 --- a/providers/dns/route53/route53.go +++ b/providers/dns/route53/route53.go @@ -30,6 +30,7 @@ const ( EnvHostedZoneID = envNamespace + "HOSTED_ZONE_ID" EnvMaxRetries = envNamespace + "MAX_RETRIES" EnvAssumeRoleArn = envNamespace + "ASSUME_ROLE_ARN" + EnvExternalID = envNamespace + "EXTERNAL_ID" EnvTTL = envNamespace + "TTL" EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT" @@ -48,6 +49,7 @@ type Config struct { HostedZoneID string MaxRetries int AssumeRoleArn string + ExternalID string TTL int PropagationTimeout time.Duration @@ -62,6 +64,7 @@ func NewDefaultConfig() *Config { HostedZoneID: env.GetOrFile(EnvHostedZoneID), MaxRetries: env.GetOrDefaultInt(EnvMaxRetries, 5), AssumeRoleArn: env.GetOrDefaultString(EnvAssumeRoleArn, ""), + ExternalID: env.GetOrDefaultString(EnvExternalID, ""), TTL: env.GetOrDefaultInt(EnvTTL, 10), PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute), @@ -337,8 +340,12 @@ func createSession(config *Config) (*session.Session, error) { } return session.NewSession(&aws.Config{ - Region: sess.Config.Region, - Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn), + Region: sess.Config.Region, + Credentials: stscreds.NewCredentials(sess, config.AssumeRoleArn, func(arp *stscreds.AssumeRoleProvider) { + if config.ExternalID != "" { + arp.ExternalID = &config.ExternalID + } + }), }) } diff --git a/providers/dns/route53/route53.toml b/providers/dns/route53/route53.toml index 388551ac..07e10d9c 100644 --- a/providers/dns/route53/route53.toml +++ b/providers/dns/route53/route53.toml @@ -130,6 +130,7 @@ Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with AWS_PROFILE = "Managed by the AWS client (`AWS_PROFILE_FILE` is not supported)" AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)" AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)" + AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)" [Configuration.Additional] AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file." AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"