Fix: use configured externalID when not using Grafana Assume Role (#248)

Author: njvrzm

pkg/awsauth/auth.go

@@ -3,6 +3,7 @@ package awsauth
 import (
 	"context"
 	"fmt"
+	"github.com/grafana/grafana-aws-sdk/pkg/awsds"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
@@ -48,6 +49,8 @@ func (rcp *awsConfigProvider) GetConfig(ctx context.Context, authSettings Settin
 	case AuthTypeSharedCreds:
 		options = append(options, authSettings.WithSharedCredentials())
 	case AuthTypeGrafanaAssumeRole:
+		settings, _ := awsds.ReadAuthSettingsFromContext(ctx)
+		authSettings.ExternalID = settings.ExternalID
 		options = append(options, authSettings.WithGrafanaAssumeRole(ctx, rcp.client))
 	default:
 		return aws.Config{}, fmt.Errorf("unknown auth type: %s", authType)

pkg/awsauth/auth_test.go

@@ -6,6 +6,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/grafana/grafana-aws-sdk/pkg/awsds"
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"os"
@@ -30,8 +31,11 @@ type testCase struct {
 	environment          map[string]string
 }
 
+const StackID = "42"
+
 func (tc testCase) Run(t *testing.T) {
-	ctx := context.Background()
+	ctx := backend.WithGrafanaConfig(context.Background(),
+		backend.NewGrafanaCfg(map[string]string{awsds.GrafanaAssumeRoleExternalIdKeyName: StackID}))
 	client := &mockAWSAPIClient{&mockAssumeRoleAPIClient{}}
 
 	if tc.authSettings.AssumeRoleARN != "" {
@@ -50,10 +54,16 @@ func (tc testCase) Run(t *testing.T) {
 		if tc.assumeRoleShouldFail {
 			require.Error(t, err)
 		} else {
+			require.NoError(t, err)
 			tc.assertConfig(t, cfg)
 			if tc.authSettings.GetAuthType() == AuthTypeKeys && tc.authSettings.SessionToken != "" {
 				assert.Equal(t, tc.authSettings.SessionToken, creds.SessionToken)
 			}
+			if tc.authSettings.GetAuthType() == AuthTypeGrafanaAssumeRole {
+				assert.Equal(t, client.assumeRoleClient.calledExternalId, StackID)
+			} else if tc.authSettings.AssumeRoleARN != "" && tc.authSettings.ExternalID != "" {
+				assert.Equal(t, client.assumeRoleClient.calledExternalId, tc.authSettings.ExternalID)
+			}
 			accessKey, secret := tc.getExpectedKeyAndSecret(t)
 			assert.Equal(t, accessKey, creds.AccessKeyID)
 			assert.Equal(t, secret, creds.SecretAccessKey)
@@ -185,6 +195,23 @@ func TestGetAWSConfig_Keys_AssumeRule(t *testing.T) {
 				Expiration:      aws.Time(time.Now().Add(time.Hour)),
 			},
 		},
+		{
+			name: "static assume role with external ID - external ID is used",
+			authSettings: Settings{
+				AuthType:      AuthTypeKeys,
+				AccessKey:     "tensile",
+				SecretKey:     "diaphanous",
+				Region:        "eu-north-1",
+				AssumeRoleARN: "arn:aws:iam::1234567890:role/aws-service-role",
+				ExternalID:    "cows_with_parasols",
+			},
+			assumedCredentials: &ststypes.Credentials{
+				AccessKeyId:     aws.String("assumed"),
+				SecretAccessKey: aws.String("role"),
+				SessionToken:    aws.String("session"),
+				Expiration:      aws.Time(time.Now().Add(time.Hour)),
+			},
+		},
 		{
 			name: "static assume role with sts endpoint - endpoint is nil",
 			authSettings: Settings{

pkg/awsauth/test_utils.go

@@ -55,11 +55,15 @@ func (m *mockAWSAPIClient) NewEC2RoleCreds() aws.CredentialsProvider {
 
 type mockAssumeRoleAPIClient struct {
 	mock.Mock
-	stsConfig aws.Config
+	stsConfig        aws.Config
+	calledExternalId string
 }
 
 func (m *mockAssumeRoleAPIClient) AssumeRole(_ context.Context, params *sts.AssumeRoleInput, _ ...func(*sts.Options)) (*sts.AssumeRoleOutput, error) {
 	args := m.Called()
+	if params.ExternalId != nil {
+		m.calledExternalId = *params.ExternalId
+	}
 	if args.Bool(0) { // shouldError
 		return &sts.AssumeRoleOutput{}, fmt.Errorf("assume role failed")
 	}