Add PolicyArns to stscreds role providers (#540)

* Add PolicyArns to stscreds role providers

* Correcting PolicyArns' type

Author: diehlaws

CHANGELOG_PENDING.md

@@ -6,6 +6,7 @@ SDK Features
 
 SDK Enhancements
 ---
+* `aws/stscreds`: `PolicyArns` can now be passed in to `stscreds.AssumeRoleProvider` and `stscreds.WebIdentityRoleProvider` in the same way as `sts.AssumeRoleInput`.
 
 SDK Bugs
 ---

aws/stscreds/provider.go

@@ -162,6 +162,29 @@ type AssumeRoleProviderOptions struct {
 	// size.
 	Policy *string
 
+	// The ARNs of IAM managed policies you want to use as managed session policies.
+	// The policies must exist in the same account as the role.
+	//
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
+	// However, the plain text that you use for both inline and managed session
+	// policies can't exceed 2,048 characters.
+	//
+	// An AWS conversion compresses the passed session policies and session tags
+	// into a packed binary format that has a separate limit. Your request can fail
+	// for this limit even if your plain text meets the other requirements. The
+	// PackedPolicySize response element indicates by percentage how close the policies
+	// and tags for your request are to the upper size limit.
+	//
+	// Passing policies to this operation returns new temporary credentials. The
+	// resulting session's permissions are the intersection of the role's identity-based
+	// policy and the session policies. You can use the role's temporary credentials
+	// in subsequent AWS API calls to access resources in the account that owns
+	// the role. You cannot use session policies to grant more permissions than
+	// those allowed by the identity-based policy of the role that is being assumed.
+	// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// in the IAM User Guide.
+	PolicyArns []sts.PolicyDescriptorType
+
 	// The identification number of the MFA device that is associated with the user
 	// who is making the AssumeRole call. Specify this value if the trust policy
 	// of the role being assumed includes a condition that requires MFA authentication.
@@ -223,6 +246,7 @@ func (p *AssumeRoleProvider) retrieveFn() (aws.Credentials, error) {
 	}
 	input := &sts.AssumeRoleInput{
 		DurationSeconds: aws.Int64(int64(p.options.Duration / time.Second)),
+		PolicyArns:      p.options.PolicyArns,
 		RoleArn:         aws.String(p.roleARN),
 		RoleSessionName: aws.String(p.options.RoleSessionName),
 		ExternalId:      p.options.ExternalID,

aws/stscreds/web_identity_provider.go

@@ -41,6 +41,7 @@ type WebIdentityRoleProvider struct {
 // WebIdentityRoleProviderOptions is a structure of configurable options for WebIdentityRoleProvider
 type WebIdentityRoleProviderOptions struct {
 	ExpiryWindow time.Duration
+	PolicyArns   []sts.PolicyDescriptorType
 }
 
 // IdentityTokenRetriever is an interface for retrieving a JWT
@@ -96,6 +97,7 @@ func (p *WebIdentityRoleProvider) retrieveFn() (aws.Credentials, error) {
 		sessionName = strconv.FormatInt(sdk.NowTime().UnixNano(), 10)
 	}
 	req := p.client.AssumeRoleWithWebIdentityRequest(&sts.AssumeRoleWithWebIdentityInput{
+		PolicyArns:       p.options.PolicyArns,
 		RoleArn:          &p.roleARN,
 		RoleSessionName:  &sessionName,
 		WebIdentityToken: aws.String(string(b)),