diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 10c0308..b1e10b3 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -8,7 +8,7 @@ steps: - label: ":shell: Lint" plugins: plugin-linter#v2.0.0: - id: cultureamp/aws-assume-role + id: topsport-com-au/aws-assume-role - label: ":shell: Tests" plugins: diff --git a/README.md b/README.md index 475bf2a..08cd41c 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,10 @@ The duration (in seconds) to assume the role for. Defaults to 3600 (1 hour). Exports `AWS_REGION` and `AWS_DEFAULT_REGION` with the value you set. If not set the values of AWS_REGION and AWS_DEFAULT_REGION will not be changed. +### `external_id` (optional) + +Unique identifier possibly required for assuming a role in another account. + Development ----------- diff --git a/hooks/pre-command b/hooks/pre-command index 5482f58..dc786eb 100755 --- a/hooks/pre-command +++ b/hooks/pre-command @@ -8,10 +8,11 @@ main() { local build="${BUILDKITE_BUILD_NUMBER:-}" local duration="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_DURATION:-3600}" local region="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_REGION:-""}" + local external_id="${BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_EXTERNAL_ID:-""}" if [[ -n $role && -n $build ]]; then echo "~~~ Assuming IAM role $role ..." - local exports; exports="$(assume_role_credentials "$role" "$build" "$duration" | credentials_json_to_shell_exports)" + local exports; exports="$(assume_role_credentials "$role" "$build" "$duration" "$external_id" | credentials_json_to_shell_exports)" eval "$exports" echo "Exported session credentials:" @@ -43,11 +44,21 @@ assume_role_credentials() { local role="$1" local build="$2" local duration="$3" - aws sts assume-role \ - --role-arn "$role" \ - --role-session-name "aws-assume-role-buildkite-plugin-${build}" \ - --duration-seconds "$duration" \ + local external_id="$4" + + params=( + --role-arn "$role" + --role-session-name "aws-assume-role-buildkite-plugin-${build}" + --duration-seconds "$duration" --query Credentials + ) + + if [[ -n $external_id ]]; then + params+=(--external-id "${external_id}") + fi + + aws sts assume-role ${params[@]} + } # Convert credentials JSON to shell export statements using standard CLI tools diff --git a/plugin.yml b/plugin.yml index 70ef408..e416474 100644 --- a/plugin.yml +++ b/plugin.yml @@ -11,6 +11,8 @@ configuration: type: string region: type: string + external_id: + type: string required: - role additionalProperties: false diff --git a/tests/pre-command.bats b/tests/pre-command.bats index 2140ac6..dd59822 100644 --- a/tests/pre-command.bats +++ b/tests/pre-command.bats @@ -59,6 +59,24 @@ EOF unstub aws } +@test "calls aws sts with an external_id" { + export BUILDKITE_BUILD_NUMBER="42" + export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_ROLE="role123" + export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_EXTERNAL_ID="some-id" + + stub aws "sts assume-role --role-arn role123 --role-session-name aws-assume-role-buildkite-plugin-42 --duration-seconds 3600 --query Credentials --external-id some-id : cat tests/sts.json" + + run $PWD/hooks/pre-command + assert_output --partial "~~~ Assuming IAM role role123 ..." + assert_output --partial "Exported session credentials" + assert_output --partial "AWS_ACCESS_KEY_ID=baz" + assert_output --partial "AWS_SECRET_ACCESS_KEY=(3 chars)" + assert_output --partial "AWS_SESSION_TOKEN=(3 chars)" + + assert_success + unstub aws +} + @test "passes in a custom region" { export BUILDKITE_BUILD_NUMBER="42" export BUILDKITE_PLUGIN_AWS_ASSUME_ROLE_ROLE="role123"