logstash-plugins · cabberley · Jul 27, 2020 · Jul 27, 2020 · Jul 27, 2020 · Jul 27, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## Unreleased
+  - Added new functionality to enable using external_id Attribute option for AWS AssumeRole V2 #46
+  - Update aws-sdk dependency to '~ 2.11'
+  - Update aws-SDK to '~> 2.11'
+  - Changed logic to enable AssumeRole to work when not on AWS ec2 and when config provides access key and secret #44
+  - Incorporated HTTP_Proxy attribute as well from branch #41 
+  - Added HTTP_Proxy option for Assume Role V2 #40
+
 ## 4.3.0
   - Drop strict value validation for region option #36
   - Add endpoint option to customize the endpoint uri #32

diff --git a/lib/logstash/plugin_mixins/aws_config/generic.rb b/lib/logstash/plugin_mixins/aws_config/generic.rb
@@ -33,6 +33,9 @@ def generic_aws_config
     # This is used to generate temporary credentials typically for cross-account access.
     # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information.
     config :role_arn, :validate => :string
+
+    #external id to use when assuming an IAM role
+    config :external_id, :validate => :string
 
     # Session name to use when assuming an IAM role
     config :role_session_name, :validate => :string, :default => "logstash"

diff --git a/lib/logstash/plugin_mixins/aws_config/v2.rb b/lib/logstash/plugin_mixins/aws_config/v2.rb
@@ -37,32 +37,41 @@ def aws_options_hash
   private
   def credentials
     @creds ||= begin
-                 if @access_key_id && @secret_access_key
-                   credentials_opts = {
-                     :access_key_id => @access_key_id,
-                     :secret_access_key => @secret_access_key.value
-                   }
-
-                   credentials_opts[:session_token] = @session_token.value if @session_token
-                   Aws::Credentials.new(credentials_opts[:access_key_id],
+                  if @role_arn && @role_session_name && @access_key_id && @secret_access_key
+                    #assume_role providing all IAM for cross account in conf
+                    Aws::AssumeRoleCredentials.new(
+                      :client => Aws::STS::Client.new(access_key_id: @access_key_id, secret_access_key: @secret_access_key.value, region: @region, http_proxy: @proxy_uri),
+                      :role_arn => @role_arn,
+                      :role_session_name => @role_session_name,
+                      :external_id => @external_id)
+                  elsif @role_arn && @role_session_name
+                     #assume_role providing only ARN in conf and using AWS credential as per SDK search order
+                     Aws::AssumeRoleCredentials.new(
+                      :client => Aws::STS::Client.new( region: @region),
+                      :role_arn => @role_arn,
+                      :role_session_name => @role_session_name,
+                      :external_id => @external_id)
+                  elsif @access_key_id && @secret_access_key
+                    #straight IAM from conf file
+                    credentials_opts = {
+                      :access_key_id => @access_key_id,
+                      :secret_access_key => @secret_access_key.value
+                      }
+                    if @session_token
+                      credentials_opts[:session_token] = @session_token.value 
+                    end
+                    Aws::Credentials.new(credentials_opts[:access_key_id],
                                         credentials_opts[:secret_access_key],
                                         credentials_opts[:session_token])
-                 elsif @aws_credentials_file
-                   credentials_opts = YAML.load_file(@aws_credentials_file)
-                   Aws::Credentials.new(credentials_opts[:access_key_id],
+                  elsif @aws_credentials_file
+                    #load IAM details from file
+                    credentials_opts = YAML.load_file(@aws_credentials_file)
+                    Aws::Credentials.new(credentials_opts[:access_key_id],
                                         credentials_opts[:secret_access_key],
                                         credentials_opts[:session_token])
-                 elsif @role_arn
-                   assume_role
-                 end
-               end
-  end
-
-  def assume_role
-    Aws::AssumeRoleCredentials.new(
-      :client => Aws::STS::Client.new(:region => @region),
-      :role_arn => @role_arn,
-      :role_session_name => @role_session_name
-    )
+                  end
+
+                end
   end
+
 end
diff --git a/logstash-mixin-aws.gemspec b/logstash-mixin-aws.gemspec
@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-mixin-aws'
-  s.version         = '4.3.0'
+  s.version         = '4.4.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "AWS mixins to provide a unified interface for Amazon Webservice"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-codec-plain'
   s.add_runtime_dependency 'aws-sdk-v1', '>= 1.61.0'
-  s.add_runtime_dependency 'aws-sdk', '~> 2'
+  s.add_runtime_dependency 'aws-sdk', '~> 2.11'
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'timecop'
 end

diff --git a/spec/plugin_mixin/aws_config_spec.rb b/spec/plugin_mixin/aws_config_spec.rb
@@ -1,4 +1,8 @@
 # encoding: utf-8
+#$LOAD_PATH.unshift(File.expand_path(File.join(__FILE__, "..","..","..","lib" )))
+#require "bootstrap/environment"
+#Gem.use_paths(LogStash::Environment.logstash_gem_home)
+
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/plugin_mixins/aws_config"
 require 'aws-sdk'
@@ -41,9 +45,9 @@ def aws_service_endpoint(region)
 
     context 'inline' do
       context 'temporary credential' do
-        let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token' } }
+        let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token'} }
 
-        it "should support passing as key, value, and session_token" do
+        it "should support passing as key, value and session_token" do
           expect(subject[:access_key_id]).to eq(settings["access_key_id"])
           expect(subject[:secret_access_key]).to_not eq(settings["secret_access_key"])
           expect(subject[:secret_access_key].value).to eq(settings["secret_access_key"])
@@ -138,7 +142,7 @@ def aws_service_endpoint(region)
       end
 
       context 'role arn is provided' do
-        let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2' } }
+        let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2','external_id' => 'external_id'  } }
         let(:sts_double) { instance_double(Aws::STS::Client) }
         let(:now) { Time.now }
         let(:expiration) { Time.at(now.to_i + 3600) }