aaronland · thisisaaronland · Jan 25, 2024 · Jan 23, 2024 · Jan 23, 2024 · Jan 23, 2024
diff --git a/README.md b/README.md
@@ -36,6 +36,8 @@ Usage of ./bin/aws-cognito-credentials:
     	A valid AWS IAM role ARN to assign to STS credentials.
   -role-session-name string
     	An identifier for the assumed role session.
+  -session-policy value
+    	Zero or more IAM ARNs to use as session policies to supplement the default role ARN.	
 ```
 
 For example:

diff --git a/cmd/aws-cognito-credentials/main.go b/cmd/aws-cognito-credentials/main.go
@@ -22,15 +22,17 @@ func main() {
 	var duration int
 
 	var kv_logins multi.KeyValueString
-
+	var session_policies multi.MultiString
+
 	flag.StringVar(&aws_config_uri, "aws-config-uri", "", "A valid github.com/aaronland/go-aws-auth.Config URI.")
 
 	flag.StringVar(&identity_pool_id, "identity-pool-id", "", "A valid AWS Cognito Identity Pool ID.")
 	flag.StringVar(&role_arn, "role-arn", "", "A valid AWS IAM role ARN to assign to STS credentials.")
 	flag.StringVar(&role_session_name, "role-session-name", "", "An identifier for the assumed role session.")
 	flag.IntVar(&duration, "duration", 900, "The duration, in seconds, of the role session. Can not be less than 900.") // Note: Can not be less than 900
 	flag.Var(&kv_logins, "login", "One or more key=value strings mapping to AWS Cognito authentication providers.")
-
+	flag.Var(&session_policies, "session-policy", "Zero or more IAM ARNs to use as session policies to supplement the default role ARN.")
+
 	flag.Parse()
 
 	ctx := context.Background()
@@ -53,6 +55,7 @@ func main() {
 		Duration:        int32(duration),
 		IdentityPoolId:  identity_pool_id,
 		Logins:          logins,
+		Policies: session_policies,
 	}
 
 	creds, err := auth.STSCredentialsForDeveloperIdentity(ctx, cfg, opts)

diff --git a/cognito.go b/cognito.go
@@ -22,6 +22,8 @@ type STSCredentialsForDeveloperIdentityOptions struct {
 	RoleSessionName string
 	// The duration, in seconds, of the role session.
 	Duration int32
+	// An optional list of Amazon Resource Names (ARNs)  that you want to use as managed session policies.
+	Policies []string
 }
 
 // STSCredentialsForDeveloperIdentity generate temporary STS (AWS) credentials for a developer identity.
@@ -52,6 +54,25 @@ func STSCredentialsForDeveloperIdentity(ctx context.Context, aws_cfg aws.Config,
 		DurationSeconds:  aws.Int32(opts.Duration),
 	}
 
+	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts#AssumeRoleWithWebIdentityInput
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+
+	if len(opts.Policies) > 0 {
+
+		session_policies := make([]types.PolicyDescriptorType, len(opts.Policies))
+
+		for idx, arn := range opts.Policies {
+
+			session_policies[idx] = types.PolicyDescriptorType{
+				Arn: aws.String(arn),
+			}
+		}
+
+		creds_opts.PolicyArns = session_policies
+	}
+
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+
 	creds_rsp, err := sts_client.AssumeRoleWithWebIdentity(ctx, creds_opts)
 
 	if err != nil {