HADOOP-19201 S3A. Support external-id in assume role (#6876)
The option fs.s3a.assumed.role.external.id sets the external id for calls of AssumeRole to the STS service Contributed by Smith Cruise
This commit is contained in:
parent
c9e9bce361
commit
c835adb3a8
@ -94,6 +94,11 @@ private Constants() {
|
|||||||
public static final String ASSUMED_ROLE_ARN =
|
public static final String ASSUMED_ROLE_ARN =
|
||||||
"fs.s3a.assumed.role.arn";
|
"fs.s3a.assumed.role.arn";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* external id for assume role request: {@value}.
|
||||||
|
*/
|
||||||
|
public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Session name for the assumed role, must be valid characters according
|
* Session name for the assumed role, must be valid characters according
|
||||||
* to the AWS APIs: {@value}.
|
* to the AWS APIs: {@value}.
|
||||||
|
@ -125,6 +125,7 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
|
|||||||
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
|
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
|
||||||
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
|
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
|
||||||
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
|
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
|
||||||
|
String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
|
||||||
|
|
||||||
LOG.debug("{}", this);
|
LOG.debug("{}", this);
|
||||||
|
|
||||||
@ -132,6 +133,10 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
|
|||||||
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
|
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
|
||||||
.durationSeconds((int) duration);
|
.durationSeconds((int) duration);
|
||||||
|
|
||||||
|
if (StringUtils.isNotEmpty(externalId)) {
|
||||||
|
requestBuilder.externalId(externalId);
|
||||||
|
}
|
||||||
|
|
||||||
if (StringUtils.isNotEmpty(policy)) {
|
if (StringUtils.isNotEmpty(policy)) {
|
||||||
LOG.debug("Scope down policy {}", policy);
|
LOG.debug("Scope down policy {}", policy);
|
||||||
requestBuilder.policy(policy);
|
requestBuilder.policy(policy);
|
||||||
|
@ -153,6 +153,14 @@ Here are the full set of configuration options.
|
|||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>fs.s3a.assumed.role.external.id</name>
|
||||||
|
<value>arbitrary value, specific by user in AWS console</value>
|
||||||
|
<description>
|
||||||
|
External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>fs.s3a.assumed.role.policy</name>
|
<name>fs.s3a.assumed.role.policy</name>
|
||||||
<value/>
|
<value/>
|
||||||
|
Loading…
Reference in New Issue
Block a user