Skip to content

Commit

Permalink
HADOOP-19201 S3A. Support external-id in assume role (#6876)
Browse files Browse the repository at this point in the history 
The option fs.s3a.assumed.role.external.id sets the external id for calls of AssumeRole to the STS service

Contributed by Smith Cruise
  • Loading branch information
@Smith-Cruise
Smith-Cruise authored Sep 10, 2024
1 parent c9e9bce commit c835adb
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 0 deletions.
5 changes: 5 additions & 0 deletions hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,11 @@ private Constants() {
public static final String ASSUMED_ROLE_ARN =
"fs.s3a.assumed.role.arn";

/**
* external id for assume role request: {@value}.
*/
public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";

/**
* Session name for the assumed role, must be valid characters according
* to the AWS APIs: {@value}.
Expand Down
5 changes: 5 additions & 0 deletions ...hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,13 +125,18 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");

LOG.debug("{}", this);

AssumeRoleRequest.Builder requestBuilder =
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
.durationSeconds((int) duration);

if (StringUtils.isNotEmpty(externalId)) {
requestBuilder.externalId(externalId);
}

if (StringUtils.isNotEmpty(policy)) {
LOG.debug("Scope down policy {}", policy);
requestBuilder.policy(policy);
Expand Down
8 changes: 8 additions & 0 deletions hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,14 @@ Here are the full set of configuration options.
</description>
</property>

<property>
<name>fs.s3a.assumed.role.external.id</name>
<value>arbitrary value, specific by user in AWS console</value>
<description>
External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
</description>
</property>

<property>
<name>fs.s3a.assumed.role.policy</name>
<value/>
Expand Down

0 comments on commit c835adb

Please sign in to comment.