-
Change Request
-
Resolution: Unresolved
-
Major
-
None
-
6.0.36, 7.0.6, 7.2.0, 7.4.0alpha1 (master)
-
Support backlog
Currently when using AssumeRole for authentification it is necessary to specify AWS.ACCESS.KEY.ID and AWS.SECRET.ACCESS.KEY, some environments do not allow such approach. While AssumeRole is recommended to use for multi-account access, it is necessary to extend it to use "role_base" authentication.
To allow such auth mechanism need to change only a few places in Javascript:
1. Add the following between "case 'role_base':" and "case 'assume_role':" block code:
case 'assume_role_role_based':
['sts_region', 'role_arn'].forEach(function (field) {
if (typeof params !== 'object' || typeof params[field] === 'undefined' || params[field] === '') {
throw 'Required param is not set: "' + field + '".';
}
AWS.params[field] = params[field];
});
params['auth_type'] = 'role_base';
AWS.setParams(params);
AWS.params['auth_type'] = 'assume_role_role_based';
AWS.params['SessionToken'] = AWS.params['Token'];
role_arn_regex = /role\/(.+)$/;
var payload = {
'Action': 'AssumeRole',
'Version': '2011-06-15',
'RoleArn': AWS.params.role_arn,
'RoleSessionName': AWS.params.role_arn.match(role_arn_regex)[1] + 'Session',
};
credentials = AWS.getField(AWS.request('GET', AWS.params.sts_region, 'sts', AWS.prepareParams(payload), ''), 'AssumeRoleResponse.AssumeRoleResult.Credentials');
['AccessKeyId', 'SecretAccessKey', 'SessionToken'].forEach(function (field) {
if (typeof credentials !== 'object' || typeof credentials[field] === 'undefined' || credentials[field] === '') {
throw 'Required credentials are not set: "' + field + '".';
};
AWS.params[field] = credentials[field];
});
break;
2. replace the following line:
if (AWS.params.auth_type === 'role_base' || (AWS.params.auth_type === 'assume_role' & !params.includes('AssumeRole'))) {
with
if (AWS.params.auth_type === 'role_base' || AWS.params.auth_type === 'assume_role_role_based' || (AWS.params.auth_type === 'assume_role' & !params.includes('AssumeRole'))) {