Unverified Commit d37ac94a authored by Mohamed Khaled's avatar Mohamed Khaled Committed by GitHub
Browse files

Allow user to set `policy` and `policy_arns` in... 

Allow user to set `policy` and `policy_arns` in `WebIdentityTokenCredentialsProvider` builder (#3506)

Related PR: https://github.com/smithy-lang/smithy-rs/pull/1892/



## Motivation and Context
This change allows users to define inline IAM policies and/or set
predefined policies (using their ARNs) with
`WebIdentityTokenCredentialsProvider`

## Description
Adds `policy` and `policy_arns` to `WebIdentityTokenCredentialsProvider`
builder.

## Testing

## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [x] I have updated `CHANGELOG.next.toml` if I made changes to the
smithy-rs codegen or runtime crates
- [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS
SDK, generated SDK code, or SDK runtime crates

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._

---------

Co-authored-by: default avatarysaito1001 <awsaito@amazon.com>
parent 88405d63

CHANGELOG.next.toml

+6 −0
Original line number Diff line number Diff line
@@ -11,6 +11,12 @@ 
# meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}

# author = "rcoh"



[[aws-sdk-rust]]

message = "Ability to add an inline policy or a list of policy ARNs to the `WebIdentityTokenCredentialsProvider` builder."

references = ["smithy-rs#3506"]

meta = { "breaking" = false, "tada" = true, "bug" = false }

author = "mokhaled2992"



[[aws-sdk-rust]]

message = "Make `BehaviorVersion` be future-proof by disallowing it to be constructed via the `BehaviorVersion {}` syntax."

references = ["aws-sdk-rust#1111", "smithy-rs#3513"]

aws/rust-runtime/aws-config/src/web_identity_token.rs

+39 −1
Original line number Diff line number Diff line
@@ -64,10 +64,11 @@ 
use crate::provider_config::ProviderConfig;

use crate::sts;

use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};

use aws_sdk_sts::Client as StsClient;

use aws_sdk_sts::{types::PolicyDescriptorType, Client as StsClient};

use aws_smithy_async::time::SharedTimeSource;

use aws_smithy_types::error::display::DisplayErrorContext;

use aws_types::os_shim_internal::{Env, Fs};



use std::borrow::Cow;

use std::path::{Path, PathBuf};
@@ -84,6 +85,8 @@ pub struct WebIdentityTokenCredentialsProvider { 
    time_source: SharedTimeSource,

    fs: Fs,

    sts_client: StsClient,

    policy: Option<String>,

    policy_arns: Option<Vec<PolicyDescriptorType>>,

}



impl WebIdentityTokenCredentialsProvider {
@@ -150,6 +153,8 @@ impl WebIdentityTokenCredentialsProvider { 
        load_credentials(

            &self.fs,

            &self.sts_client,

            self.policy.clone(),

            self.policy_arns.clone(),

            &conf.web_identity_token_file,

            &conf.role_arn,

            &conf.session_name,
@@ -163,6 +168,8 @@ impl WebIdentityTokenCredentialsProvider { 
pub struct Builder {

    source: Option<Source>,

    config: Option<ProviderConfig>,

    policy: Option<String>,

    policy_arns: Option<Vec<PolicyDescriptorType>>,

}



impl Builder {
@@ -193,6 +200,31 @@ impl Builder { 
        self

    }



    /// Set an IAM policy in JSON format that you want to use as an inline session policy.

    ///

    /// This parameter is optional

    /// For more information, see

    /// [policy](aws_sdk_sts::operation::assume_role::builders::AssumeRoleInputBuilder::policy_arns)

    pub fn policy(mut self, policy: impl Into<String>) -> Self {

        self.policy = Some(policy.into());

        self

    }



    /// Set the Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies.

    ///

    /// This parameter is optional.

    /// For more information, see

    /// [policy_arns](aws_sdk_sts::operation::assume_role::builders::AssumeRoleInputBuilder::policy_arns)

    pub fn policy_arns(mut self, policy_arns: Vec<String>) -> Self {

        self.policy_arns = Some(

            policy_arns

                .into_iter()

                .map(|arn| PolicyDescriptorType::builder().arn(arn).build())

                .collect::<Vec<_>>(),

        );

        self

    }



    /// Build a [`WebIdentityTokenCredentialsProvider`]

    ///

    /// ## Panics
@@ -206,6 +238,8 @@ impl Builder { 
            fs: conf.fs(),

            sts_client: StsClient::new(&conf.client_config()),

            time_source: conf.time_source(),

            policy: self.policy,

            policy_arns: self.policy_arns,

        }

    }

}
@@ -213,6 +247,8 @@ impl Builder { 
async fn load_credentials(

    fs: &Fs,

    sts_client: &StsClient,

    policy: Option<String>,

    policy_arns: Option<Vec<PolicyDescriptorType>>,

    token_file: impl AsRef<Path>,

    role_arn: &str,

    session_name: &str,
@@ -228,6 +264,8 @@ async fn load_credentials( 
    let resp = sts_client.assume_role_with_web_identity()

        .role_arn(role_arn)

        .role_session_name(session_name)

        .set_policy(policy)

        .set_policy_arns(policy_arns)

        .web_identity_token(token)

        .send()

        .await