Merge pull request #129 from drone-plugins/ci-9188

adds externalID mapping for assume role
drone-plugins · Aug 30, 2023 · fe9d75b · fe9d75b
2 parents 41e5a19 + e3d8407
commit fe9d75b
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 5 deletions.
diff --git a/main.go b/main.go
@@ -132,6 +132,11 @@ func main() {
 			Name:  "env-file",
 			Usage: "source env file",
 		},
+		cli.StringFlag{
+			Name:   "external-id",
+			Usage:  "external ID to use when assuming role",
+			EnvVar: "PLUGIN_EXTERNAL_ID",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -165,6 +170,7 @@ func run(c *cli.Context) error {
 		StorageClass:          c.String("storage-class"),
 		PathStyle:             c.Bool("path-style"),
 		DryRun:                c.Bool("dry-run"),
+		ExternalID:            c.String("external-id"),
 	}
 
 	return plugin.Exec()

diff --git a/plugin.go b/plugin.go
@@ -90,6 +90,9 @@ type Plugin struct {
 	PathStyle bool
 	// Dry run without uploading/
 	DryRun bool
+
+	// set externalID for assume role
+	ExternalID string
 }
 
 // Exec runs the plugin
@@ -108,7 +111,7 @@ func (p *Plugin) Exec() error {
 	if p.Key != "" && p.Secret != "" {
 		conf.Credentials = credentials.NewStaticCredentials(p.Key, p.Secret, "")
 	} else if p.AssumeRole != "" {
-		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName)
+		conf.Credentials = assumeRole(p.AssumeRole, p.AssumeRoleSessionName, p.ExternalID)
 	} else {
 		log.Warn("AWS Key and/or Secret not provided (falling back to ec2 instance profile)")
 	}
@@ -287,7 +290,7 @@ func matchExtension(match string, stringMap map[string]string) string {
 	return ""
 }
 
-func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
+func assumeRole(roleArn, roleSessionName, externalID string) *credentials.Credentials {
 	sess, _ := session.NewSession()
 	client := sts.New(sess)
 	duration := time.Hour * 1
@@ -298,6 +301,10 @@ func assumeRole(roleArn, roleSessionName string) *credentials.Credentials {
 		RoleSessionName: roleSessionName,
 	}
 
+	if externalID != "" {
+		stsProvider.ExternalID = &externalID
+	}
+
 	return credentials.NewCredentials(stsProvider)
 }
 
@@ -318,17 +325,17 @@ func isDir(source string, matches []string) bool {
 	if err != nil {
 		return true // should never happen
 	}
-	if (stat.IsDir()) {
+	if stat.IsDir() {
 		count := 0
 		for _, match := range matches {
 			if strings.HasPrefix(match, source) {
-				count++;
+				count++
 			}
 		}
 		if count <= 1 {
 			log.Warnf("Skipping '%s' since it is a directory. Please use correct glob expression if this is unexpected.", source)
 		}
-		return true;
+		return true
 	}
 	return false
 }