HADOOP-19201 S3A. Support external-id in assume role (#6876)

The option fs.s3a.assumed.role.external.id sets the external id for calls of AssumeRole to the STS service

Contributed by Smith Cruise
This commit is contained in:
Smith Cruise 2024-09-10 22:38:32 +08:00 committed by GitHub
parent c9e9bce361
commit c835adb3a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 18 additions and 0 deletions

View File

@ -94,6 +94,11 @@ private Constants() {
public static final String ASSUMED_ROLE_ARN = public static final String ASSUMED_ROLE_ARN =
"fs.s3a.assumed.role.arn"; "fs.s3a.assumed.role.arn";
/**
* external id for assume role request: {@value}.
*/
public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";
/** /**
* Session name for the assumed role, must be valid characters according * Session name for the assumed role, must be valid characters according
* to the AWS APIs: {@value}. * to the AWS APIs: {@value}.

View File

@ -125,6 +125,7 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION, duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS); ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, ""); String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
LOG.debug("{}", this); LOG.debug("{}", this);
@ -132,6 +133,10 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName) AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
.durationSeconds((int) duration); .durationSeconds((int) duration);
if (StringUtils.isNotEmpty(externalId)) {
requestBuilder.externalId(externalId);
}
if (StringUtils.isNotEmpty(policy)) { if (StringUtils.isNotEmpty(policy)) {
LOG.debug("Scope down policy {}", policy); LOG.debug("Scope down policy {}", policy);
requestBuilder.policy(policy); requestBuilder.policy(policy);

View File

@ -153,6 +153,14 @@ Here are the full set of configuration options.
</description> </description>
</property> </property>
<property>
<name>fs.s3a.assumed.role.external.id</name>
<value>arbitrary value, specific by user in AWS console</value>
<description>
External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
</description>
</property>
<property> <property>
<name>fs.s3a.assumed.role.policy</name> <name>fs.s3a.assumed.role.policy</name>
<value/> <value/>