add account id to supproted identity providers

sbiscigl · sbiscigl · commit 112315f7876a · 2025-02-07T10:37:52.000-05:00
diff --git a/src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentials.h b/src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentials.h
@@ -54,6 +54,20 @@ namespace Aws
             {
             }
 
+            /**
+             * Initializes object with accessKeyId, secretKey, sessionToken, expiration date and account Id.
+             */
+            AWSCredentials(const Aws::String& accessKeyId,
+                           const Aws::String& secretKey,
+                           const Aws::String& sessionToken,
+                           Aws::Utils::DateTime expiration,
+                           const Aws::String& accountId)
+                : m_accessKeyId(accessKeyId),
+                  m_secretKey(secretKey),
+                  m_sessionToken(sessionToken),
+                  m_expiration(expiration),
+                  m_accountId(accountId) {}
+
             bool operator == (const AWSCredentials& other) const
             {
                 return m_accessKeyId  == other.m_accessKeyId
@@ -109,6 +123,14 @@ namespace Aws
                 return m_expiration;
             }
 
+            /**
+             * Gets the underlying account id
+             */
+            inline const Aws::String GetAccountId() const
+            {
+              return m_accountId;
+            }
+
             /**
              * Sets the underlying access key credential. Copies from parameter accessKeyId.
              */
@@ -133,6 +155,14 @@ namespace Aws
                 m_sessionToken = sessionToken;
             }
 
+            /**
+             * Sets the underlying account id. Copies from parameter accountId
+             */
+            inline void SetAccountId(const Aws::String& accountId)
+            {
+                m_accountId = accountId;
+            }
+
 
             /**
              * Sets the underlying access key credential. Copies from parameter accessKeyId.
@@ -158,6 +188,14 @@ namespace Aws
                 m_sessionToken = sessionToken;
             }
 
+            /**
+             * Sets the underlying account id. Copies from parameter accountId
+             */
+            inline void SetExpiration(const char* accountId)
+            {
+                m_accountId = accountId;
+            }
+
             /**
              * Sets the expiration date of the credential
              */
@@ -171,6 +209,7 @@ namespace Aws
             Aws::String m_secretKey;
             Aws::String m_sessionToken;
             Aws::Utils::DateTime m_expiration;
+            Aws::String m_accountId;
         };
     }
 }
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsCredentialIdentity.h b/src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsCredentialIdentity.h
@@ -12,20 +12,26 @@ namespace smithy {
         AwsCredentialIdentity(const Aws::String& accessKeyId,
                               const Aws::String& secretAccessKey,
                               const Aws::Crt::Optional<Aws::String>& sessionToken,
-                              const Aws::Crt::Optional<AwsIdentity::DateTime>& expiration)
-            : m_accessKeyId(accessKeyId), m_secretAccessKey(secretAccessKey),
-              m_sessionToken(sessionToken), m_expiration(expiration) {}
+                              const Aws::Crt::Optional<AwsIdentity::DateTime>& expiration,
+                              const Aws::Crt::Optional<Aws::String>& accountId)
+            : m_accessKeyId(accessKeyId),
+              m_secretAccessKey(secretAccessKey),
+              m_sessionToken(sessionToken),
+              m_expiration(expiration),
+              m_accountId({accountId}) {}
 
         Aws::String accessKeyId() const override;
         Aws::String secretAccessKey() const override;
         Aws::Crt::Optional<Aws::String> sessionToken() const override;
         Aws::Crt::Optional<AwsIdentity::DateTime> expiration() const override;
+        Aws::Crt::Optional<Aws::String> accountId() const override;
 
     protected:
         Aws::String m_accessKeyId;
         Aws::String m_secretAccessKey;
         Aws::Crt::Optional<Aws::String> m_sessionToken;
         Aws::Crt::Optional<AwsIdentity::DateTime> m_expiration;
+        Aws::Crt::Optional<Aws::String> m_accountId;
     };
 }
 
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsIdentity.h b/src/aws-cpp-sdk-core/include/smithy/identity/identity/AwsIdentity.h
@@ -17,5 +17,9 @@ namespace smithy {
         virtual Aws::Crt::Optional<DateTime> expiration() const {
             return Aws::Crt::Optional<DateTime>();
         };
+
+        virtual Aws::Crt::Optional<Aws::String> accountId() const {
+            return Aws::Crt::Optional<Aws::String>{};
+        }
     };
 }
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/identity/impl/AwsCredentialIdentityImpl.h b/src/aws-cpp-sdk-core/include/smithy/identity/identity/impl/AwsCredentialIdentityImpl.h
@@ -23,4 +23,8 @@ namespace smithy {
     inline Aws::Crt::Optional<AwsIdentity::DateTime> AwsCredentialIdentity::expiration() const {
         return m_expiration;
     }
+
+    inline Aws::Crt::Optional<Aws::String> AwsCredentialIdentity::accountId() const {
+        return m_sessionToken;
+    }
 }
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/AwsCredentialsProviderIdentityResolver.h b/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/AwsCredentialsProviderIdentityResolver.h
@@ -35,9 +35,12 @@ namespace smithy
 
             const auto fetchedCreds = m_credentialsProvider->GetAWSCredentials();
 
-            auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("DefaultAwsCredentialIdentityResolver",
-                                                                     fetchedCreds.GetAWSAccessKeyId(), fetchedCreds.GetAWSSecretKey(),
-                                                                     fetchedCreds.GetSessionToken(), fetchedCreds.GetExpiration());
+            auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("AwsCredentialsProviderIdentityResolver",
+              fetchedCreds.GetAWSAccessKeyId(),
+              fetchedCreds.GetAWSSecretKey(),
+              fetchedCreds.GetSessionToken(),
+              fetchedCreds.GetExpiration(),
+              fetchedCreds.GetAccountId());
 
             return {std::move(smithyCreds)};
         }
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h b/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/DefaultAwsCredentialIdentityResolver.h
@@ -49,7 +49,8 @@ namespace smithy {
                                                                      legacyCreds.GetAWSAccessKeyId(), 
                                                                      legacyCreds.GetAWSSecretKey(),
                                                                      legacyCreds.GetSessionToken().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken(),
-                                                                     legacyCreds.GetExpiration());
+                                                                     legacyCreds.GetExpiration(),
+                                                                     legacyCreds.GetAccountId().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken());
 
             return ResolveIdentityFutureOutcome(std::move(smithyCreds));
         }
diff --git a/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/SimpleAwsCredentialIdentityResolver.h b/src/aws-cpp-sdk-core/include/smithy/identity/resolver/built-in/SimpleAwsCredentialIdentityResolver.h
@@ -33,9 +33,12 @@ namespace smithy
             AWS_UNREFERENCED_PARAM(identityProperties);
             AWS_UNREFERENCED_PARAM(additionalParameters);
 
-            auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("DefaultAwsCredentialIdentityResolver",
-                                                                     m_credentials.GetAWSAccessKeyId(), m_credentials.GetAWSSecretKey(),
-                                                                     m_credentials.GetSessionToken(), m_credentials.GetExpiration());
+            auto smithyCreds = Aws::MakeUnique<AwsCredentialIdentity>("SimpleAwsCredentialIdentityResolver",
+                                                                     m_credentials.GetAWSAccessKeyId(),
+                                                                     m_credentials.GetAWSSecretKey(),
+                                                                     m_credentials.GetSessionToken().empty()? Aws::Crt::Optional<Aws::String>() : m_credentials.GetSessionToken(),
+                                                                     m_credentials.GetExpiration(),
+                                                                     m_credentials.GetAccountId().empty()? Aws::Crt::Optional<Aws::String>() : m_credentials.GetAccountId());
 
             return {std::move(smithyCreds)};
         }
diff --git a/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp
@@ -36,6 +36,7 @@ using Aws::Utils::Threading::WriterLockGuard;
 static const char ACCESS_KEY_ENV_VAR[] = "AWS_ACCESS_KEY_ID";
 static const char SECRET_KEY_ENV_VAR[] = "AWS_SECRET_ACCESS_KEY";
 static const char SESSION_TOKEN_ENV_VAR[] = "AWS_SESSION_TOKEN";
+static const char ACCOUNT_ID_ENV_VAR[] = "AWS_ACCOUNT_ID";
 static const char DEFAULT_PROFILE[] = "default";
 static const char AWS_PROFILE_ENV_VAR[] = "AWS_PROFILE";
 static const char AWS_PROFILE_DEFAULT_ENV_VAR[] = "AWS_DEFAULT_PROFILE";
@@ -91,6 +92,14 @@ AWSCredentials EnvironmentAWSCredentialsProvider::GetAWSCredentials()
             credentials.SetSessionToken(sessionToken);
             AWS_LOGSTREAM_DEBUG(ENVIRONMENT_LOG_TAG, "Found sessionToken");
         }
+
+        const auto accountId = Aws::Environment::GetEnv(ACCOUNT_ID_ENV_VAR);
+
+        if (!accountId.empty())
+        {
+            credentials.SetAccountId(accountId);
+            AWS_LOGSTREAM_DEBUG(ENVIRONMENT_LOG_TAG, "Found accountId");
+        }
     }
 
     return credentials;
@@ -409,6 +418,11 @@ AWSCredentials Aws::Auth::GetCredentialsFromProcess(const Aws::String& process)
         credentials.SetExpiration((std::chrono::time_point<std::chrono::system_clock>::max)());
     }
 
+    if (credentialsView.KeyExists("AccountId"))
+    {
+      credentials.SetAccountId(credentialsView.GetString("AccountId"));
+    }
+
     AWS_LOGSTREAM_DEBUG(PROFILE_LOG_TAG, "Successfully pulled credentials from process credential with AccessKey: " << accessKey << ", Expiration:" << credentialsView.GetString("Expiration"));
     return credentials;
 }
diff --git a/src/aws-cpp-sdk-core/source/auth/GeneralHTTPCredentialsProvider.cpp b/src/aws-cpp-sdk-core/source/auth/GeneralHTTPCredentialsProvider.cpp
@@ -232,17 +232,19 @@ void GeneralHTTPCredentialsProvider::Reload()
         return;
     }
 
-    Aws::String accessKey, secretKey, token;
+    Aws::String accessKey, secretKey, token, accountId;
     Utils::Json::JsonView credentialsView(credentialsDoc);
     accessKey = credentialsView.GetString("AccessKeyId");
     secretKey = credentialsView.GetString("SecretAccessKey");
     token = credentialsView.GetString("Token");
+    accountId = credentialsView.GetString("AccountId");
     AWS_LOGSTREAM_DEBUG(GEN_HTTP_LOG_TAG, "Successfully pulled credentials from metadata service with access key " << accessKey);
 
     m_credentials.SetAWSAccessKeyId(accessKey);
     m_credentials.SetAWSSecretKey(secretKey);
     m_credentials.SetSessionToken(token);
     m_credentials.SetExpiration(Aws::Utils::DateTime(credentialsView.GetString("Expiration"), Aws::Utils::DateFormat::ISO_8601));
+    m_credentials.SetAccountId(accountId);
     AWSCredentialsProvider::Reload();
 }
 
diff --git a/src/aws-cpp-sdk-core/source/config/AWSConfigFileProfileConfigLoader.cpp b/src/aws-cpp-sdk-core/source/config/AWSConfigFileProfileConfigLoader.cpp
@@ -21,6 +21,7 @@ namespace Aws
         static const char ACCESS_KEY_ID_KEY[]                = "aws_access_key_id";
         static const char SECRET_KEY_KEY[]                   = "aws_secret_access_key";
         static const char SESSION_TOKEN_KEY[]                = "aws_session_token";
+        static const char ACCOUNT_ID_KEY[]                   = "aws_account_id";
         static const char SSO_START_URL_KEY[]                = "sso_start_url";
         static const char SSO_REGION_KEY[]                   = "sso_region";
         static const char SSO_ACCOUNT_ID_KEY[]               = "sso_account_id";
@@ -445,7 +446,7 @@ namespace Aws
                     }
 
                     auto accessKeyIdIter = currentKeyValues.find(ACCESS_KEY_ID_KEY);
-                    Aws::String accessKey, secretKey, sessionToken;
+                    Aws::String accessKey, secretKey, sessionToken, accountId;
                     if (accessKeyIdIter != currentKeyValues.end())
                     {
                         accessKey = accessKeyIdIter->second;
@@ -467,7 +468,18 @@ namespace Aws
                             sessionToken = sessionTokenIter->second;
                         }
 
-                        profile.SetCredentials(Aws::Auth::AWSCredentials(accessKey, secretKey, sessionToken));
+                        const auto accountIdIter = currentKeyValues.find(ACCOUNT_ID_KEY);
+
+                        if (accountIdIter != currentKeyValues.end())
+                        {
+                            accountId = accountIdIter->second;
+                        }
+
+                        profile.SetCredentials(Aws::Auth::AWSCredentials(accessKey,
+                          secretKey,
+                          sessionToken,
+                          DateTime{},
+                          accountId));
                     }
 
                     if (!profile.GetSsoStartUrl().empty() || !profile.GetSsoRegion().empty()
diff --git a/src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp b/src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp
@@ -9,6 +9,7 @@
 #include <aws/core/http/HttpClientFactory.h>
 #include <aws/core/http/HttpResponse.h>
 #include <aws/core/utils/logging/LogMacros.h>
+#include <aws/core/utils/ARN.h>
 #include <aws/core/utils/StringUtils.h>
 #include <aws/core/utils/HashingUtils.h>
 #include <aws/core/platform/Environment.h>
@@ -588,6 +589,15 @@ namespace Aws
                     {
                         result.creds.SetExpiration(DateTime(StringUtils::Trim(expirationNode.GetText().c_str()).c_str(), DateFormat::ISO_8601));
                     }
+                    XmlNode assumeRoleUser = credentialsNode.FirstChild("AssumedRoleUser");
+                    if (!assumeRoleUser.IsNull())
+                    {
+                      XmlNode roleArn = assumeRoleUser.FirstChild("Arn");
+                      if (!roleArn.IsNull())
+                      {
+                        result.creds.SetAccountId(ARN{roleArn.GetText()}.GetAccountId());
+                      }
+                    }
                 }
             }
             return result;
@@ -670,6 +680,7 @@ namespace Aws
             creds.SetAWSSecretKey(roleCredentials.GetString("secretAccessKey"));
             creds.SetSessionToken(roleCredentials.GetString("sessionToken"));
             creds.SetExpiration(roleCredentials.GetInt64("expiration"));
+            creds.SetAccountId(roleCredentials.GetString("accountId"));
             SSOCredentialsClient::SSOGetRoleCredentialsResult result;
             result.creds = creds;
             return result;
diff --git a/tests/aws-cpp-sdk-core-tests/aws/auth/AWSCredentialsProviderTest.cpp b/tests/aws-cpp-sdk-core-tests/aws/auth/AWSCredentialsProviderTest.cpp
diff --git a/tests/aws-cpp-sdk-core-tests/aws/auth/GeneralHTTPCredentialsProviderTest.cpp b/tests/aws-cpp-sdk-core-tests/aws/auth/GeneralHTTPCredentialsProviderTest.cpp

Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,8 @@ namespace smithy {`
`23`	`23`	`inline Aws::Crt::Optional<AwsIdentity::DateTime> AwsCredentialIdentity::expiration() const {`
`24`	`24`	`return m_expiration;`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ inline Aws::Crt::Optional<Aws::String> AwsCredentialIdentity::accountId() const {`
	`28`	`+ return m_sessionToken;`
	`29`	`+ }`
`26`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,8 @@ namespace smithy {`
`49`	`49`	`legacyCreds.GetAWSAccessKeyId(),`
`50`	`50`	`legacyCreds.GetAWSSecretKey(),`
`51`	`51`	`legacyCreds.GetSessionToken().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken(),`
`52`		`- legacyCreds.GetExpiration());`
	`52`	`+ legacyCreds.GetExpiration(),`
	`53`	`+ legacyCreds.GetAccountId().empty()? Aws::Crt::Optional<Aws::String>() : legacyCreds.GetSessionToken());`
`53`	`54`
`54`	`55`	`return ResolveIdentityFutureOutcome(std::move(smithyCreds));`
`55`	`56`	`}`