Skip to content

Commit 5635e34

Browse files
Smith-Cruisesteveloughran
authored andcommitted
HADOOP-19201 S3A. Support external-id in assume role (#6876)
The option fs.s3a.assumed.role.external.id sets the external id for calls of AssumeRole to the STS service Contributed by Smith Cruise
1 parent 87e4b0a commit 5635e34

File tree

3 files changed

+18
-0
lines changed

3 files changed

+18
-0
lines changed

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,11 @@ private Constants() {
9494
public static final String ASSUMED_ROLE_ARN =
9595
"fs.s3a.assumed.role.arn";
9696

97+
/**
98+
* external id for assume role request: {@value}.
99+
*/
100+
public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";
101+
97102
/**
98103
* Session name for the assumed role, must be valid characters according
99104
* to the AWS APIs: {@value}.

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,13 +125,18 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
125125
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
126126
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
127127
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
128+
String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
128129

129130
LOG.debug("{}", this);
130131

131132
AssumeRoleRequest.Builder requestBuilder =
132133
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
133134
.durationSeconds((int) duration);
134135

136+
if (StringUtils.isNotEmpty(externalId)) {
137+
requestBuilder.externalId(externalId);
138+
}
139+
135140
if (StringUtils.isNotEmpty(policy)) {
136141
LOG.debug("Scope down policy {}", policy);
137142
requestBuilder.policy(policy);

hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,14 @@ Here are the full set of configuration options.
153153
</description>
154154
</property>
155155

156+
<property>
157+
<name>fs.s3a.assumed.role.external.id</name>
158+
<value>arbitrary value, specific by user in AWS console</value>
159+
<description>
160+
External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
161+
</description>
162+
</property>
163+
156164
<property>
157165
<name>fs.s3a.assumed.role.policy</name>
158166
<value/>

0 commit comments

Comments
 (0)