Adds support for passing external-id to aws sts.

.buildkite/pipeline.yml

@@ -8,7 +8,7 @@ steps:
   - label: ":shell: Lint"
     plugins:
       plugin-linter#v2.0.0:
-        id: cultureamp/aws-assume-role
+        id: topsport-com-au/aws-assume-role
 
   - label: ":shell: Tests"
     plugins:

README.md

@@ -45,6 +45,10 @@ The duration (in seconds) to assume the role for. Defaults to 3600 (1 hour).
 
 Exports `AWS_REGION` and `AWS_DEFAULT_REGION` with the value you set. If not set the values of AWS_REGION and AWS_DEFAULT_REGION will not be changed.
 
+### `external_id` (optional)
+
+Unique identifier possibly required for assuming a role in another account.
+
 Development
 -----------
 

hooks/pre-command

@@ -8,10 +8,11 @@ main() {
   local build="${BUILDKITE_BUILD_NUMBER:-}"
   local duration="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_DURATION:-3600}"
   local region="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_REGION:-""}"
+  local external_id="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_EXTERNAL_ID:-""}"
 
   if [[ -n $role && -n $build ]]; then
     echo "~~~ Assuming IAM role $role ..."
-    local exports; exports="$(assume_role_credentials "$role" "$build" "$duration" | credentials_json_to_shell_exports)"
+    local exports; exports="$(assume_role_credentials "$role" "$build" "$duration" "$external_id" | credentials_json_to_shell_exports)"
     eval "$exports"
 
     echo "Exported session credentials:"
@@ -43,11 +44,21 @@ assume_role_credentials() {
   local role="$1"
   local build="$2"
   local duration="$3"
-  aws sts assume-role \
-    --role-arn "$role" \
-    --role-session-name "aws-assume-role-buildkite-plugin-${build}" \
-    --duration-seconds "$duration" \
+  local external_id="$4"
+
+  params=(
+    --role-arn "$role"
+    --role-session-name "aws-assume-role-buildkite-plugin-${build}"
+    --duration-seconds "$duration"
     --query Credentials
+  )
+
+  if [[ -n $external_id ]]; then
+    params+=(--external-id "${external_id}")
+  fi
+
+  aws sts assume-role ${params[@]}
+
 }
 
 # Convert credentials JSON to shell export statements using standard CLI tools

plugin.yml

@@ -11,6 +11,8 @@ configuration:
       type: string
     region:
       type: string
+    external_id:
+      type: string
   required:
     - role
   additionalProperties: false

tests/pre-command.bats

@@ -59,6 +59,24 @@ EOF
   unstub aws
 }
 
+@test "calls aws sts with an external_id" {
+  export BUILDKITE_BUILD_NUMBER="42"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_ROLE="role123"
+  export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_EXTERNAL_ID="some-id"
+
+  stub aws "sts assume-role --role-arn role123 --role-session-name aws-assume-role-buildkite-plugin-42 --duration-seconds 3600 --query Credentials --external-id some-id : cat tests/sts.json"
+
+  run $PWD/hooks/pre-command
+  assert_output --partial "~~~ Assuming IAM role role123 ..."
+  assert_output --partial "Exported session credentials"
+  assert_output --partial "AWS_ACCESS_KEY_ID=baz"
+  assert_output --partial "AWS_SECRET_ACCESS_KEY=(3 chars)"
+  assert_output --partial "AWS_SESSION_TOKEN=(3 chars)"
+
+  assert_success
+  unstub aws
+}
+
 @test "passes in a custom region" {
   export BUILDKITE_BUILD_NUMBER="42"
   export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_ROLE="role123"