From c835adb3a8d3106493c5b10240593a9693683e5b Mon Sep 17 00:00:00 2001 From: Smith Cruise Date: Tue, 10 Sep 2024 22:38:32 +0800 Subject: [PATCH] HADOOP-19201 S3A. Support external-id in assume role (#6876) The option fs.s3a.assumed.role.external.id sets the external id for calls of AssumeRole to the STS service Contributed by Smith Cruise --- .../src/main/java/org/apache/hadoop/fs/s3a/Constants.java | 5 +++++ .../hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java | 5 +++++ .../src/site/markdown/tools/hadoop-aws/assumed_roles.md | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java index 078ffaa471aeb..6bf4b736518e1 100644 --- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java +++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java @@ -94,6 +94,11 @@ private Constants() { public static final String ASSUMED_ROLE_ARN = "fs.s3a.assumed.role.arn"; + /** + * external id for assume role request: {@value}. + */ + public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id"; + /** * Session name for the assumed role, must be valid characters according * to the AWS APIs: {@value}. diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java index c2ac8fe4c8197..ce20684feca83 100644 --- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java +++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java @@ -125,6 +125,7 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf) duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION, ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS); String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, ""); + String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, ""); LOG.debug("{}", this); @@ -132,6 +133,10 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf) AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName) .durationSeconds((int) duration); + if (StringUtils.isNotEmpty(externalId)) { + requestBuilder.externalId(externalId); + } + if (StringUtils.isNotEmpty(policy)) { LOG.debug("Scope down policy {}", policy); requestBuilder.policy(policy); diff --git a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md index 065a757f21704..ba1bc4b362c47 100644 --- a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md +++ b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md @@ -153,6 +153,14 @@ Here are the full set of configuration options. + + fs.s3a.assumed.role.external.id + arbitrary value, specific by user in AWS console + + External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/" + + + fs.s3a.assumed.role.policy