wip f: additional attribute source_identity for assume_role

[wlami]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #22128

This PR requires an update of aws-sdk-go-base to version v2.0.0-beta.17 which contains hashicorp/aws-sdk-go-base#87 (not yet released)
For now you can build this PR by overriding the dependency locally in your go.mod file:

replace github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.16 => github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.16.0.20220606220519-b7ca15e1d8ef

Prerequisites

You need to set env variables for the acceptance test:

$ export TF_ACC=1
$ export TF_ACC_ASSUME_ROLE_ARN=arn:aws:iam::<your-account>:role/<target-role>
$ export TF_ACC_ASSUME_ROLE_SOURCE_IDENTITY=<your-source-identity>

To use the source_identity attribute in your configuration you have to adapt your IAM policies. See AWS Documentation for an in depth explanation. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html

Short version: In your AWS Accounts you need to setup a source principal and a target role to assume. The source principal must have permission for sts:SetSourceIdentity.

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<target-account>:role/<target-role>"
        },
        {
            "Sid": "SetSourceIdentity",
            "Effect": "Allow",
            "Action": "sts:SetSourceIdentity",
            "Resource": "arn:aws:iam::<target-account>:role/<target-role>",
            "Condition": {
                "StringLike": {
                    "sts:SourceIdentity": "<your-source-identity>"
                }
            }
        }
    ]
}

The role to assume has to have a trust policy that allows sts:SetSourceIdentity like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<source-account>:role/<source-role>"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity"
            ]
        }
    ]
}

Output from acceptance testing:

$ make testacc TESTS=TestAccProvider_AssumeRole_withSourceIdentity PKG=../acctest                                                                                                                                
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/../acctest/... -v -count 1 -parallel 20 -run='TestAccProvider_AssumeRole_withSourceIdentity'  -timeout 180m
=== RUN   TestAccProvider_AssumeRole_withSourceIdentity
=== PAUSE TestAccProvider_AssumeRole_withSourceIdentity
=== CONT  TestAccProvider_AssumeRole_withSourceIdentity
--- PASS: TestAccProvider_AssumeRole_withSourceIdentity (26.11s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/acctest    29.434s


...

[github-actions]

Welcome @wlami 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[gdavison]

Thanks for the PR, @wlami. I've removed the source_identity from assume_role_with_web_identity block since it isn't supported there. 🚀

[github-actions]

This functionality has been released in v4.29.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.