Sigv4: Use externalId when signing with sigv4 (#238)

idastambuk · iwysiu · web-flow · commit d7c7d63a5520 · 2025-05-08T09:08:25.000+02:00
---------

Co-authored-by: Isabella Siu &lt;Isabella.siu@grafana.com&gt;
diff --git a/pkg/sigv4/sigv4.go b/pkg/sigv4/sigv4.go
@@ -27,6 +27,8 @@ import (
 
 var (
 	signerCache sync.Map
+	newStsCreds = stscreds.NewCredentials
+	newV4Signer = v4.NewSigner
 )
 
 type middleware struct {
@@ -235,10 +237,10 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool
 			if err != nil {
 				return nil, err
 			}
-			c = stscreds.NewCredentials(s, cfg.AssumeRoleARN)
+			return getAssumeRoleSigner(s, cfg, signerOpts)
 		}
 
-		return v4.NewSigner(c, signerOpts), nil
+		return newV4Signer(c, signerOpts), nil
 	case awsds.AuthTypeDefault:
 		s, err := session.NewSession(&aws.Config{
 			Region: aws.String(cfg.Region),
@@ -248,10 +250,10 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool
 		}
 
 		if cfg.AssumeRoleARN != "" {
-			return v4.NewSigner(stscreds.NewCredentials(s, cfg.AssumeRoleARN), signerOpts), nil
+			return getAssumeRoleSigner(s, cfg, signerOpts)
 		}
 
-		return v4.NewSigner(s.Config.Credentials, signerOpts), nil
+		return newV4Signer(s.Config.Credentials, signerOpts), nil
 	default:
 		if cfg.AssumeRoleARN != "" {
 			s, err := session.NewSession(&aws.Config{
@@ -260,7 +262,7 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool
 			if err != nil {
 				return nil, err
 			}
-			return v4.NewSigner(stscreds.NewCredentials(s, cfg.AssumeRoleARN), signerOpts), nil
+			return getAssumeRoleSigner(s, cfg, signerOpts)
 		}
 		return nil, fmt.Errorf("invalid SigV4 auth type %q", authType)
 	}
@@ -273,10 +275,19 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool
 		if err != nil {
 			return nil, err
 		}
-		return v4.NewSigner(stscreds.NewCredentials(s, cfg.AssumeRoleARN), signerOpts), nil
+		return getAssumeRoleSigner(s, cfg, signerOpts)
 	}
 
-	return v4.NewSigner(c, signerOpts), nil
+	return newV4Signer(c, signerOpts), nil
+}
+
+func getAssumeRoleSigner(s *session.Session, cfg *Config, signerOpts func(s *v4.Signer)) (*v4.Signer, error) {
+	if cfg.ExternalID != "" {
+		return newV4Signer(newStsCreds(s, cfg.AssumeRoleARN, func(p *stscreds.AssumeRoleProvider) {
+			p.ExternalID = aws.String(cfg.ExternalID)
+		}), signerOpts), nil
+	} 
+	return newV4Signer(newStsCreds(s, cfg.AssumeRoleARN), signerOpts), nil
 }
 
 func copyHeaderWithoutOverwrite(dst, src http.Header) {
diff --git a/pkg/sigv4/sigv4_test.go b/pkg/sigv4/sigv4_test.go
@@ -10,7 +10,9 @@ import (
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana-plugin-sdk-go/backend/log"
 
+	"github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
 
 	"github.com/stretchr/testify/require"
@@ -301,6 +303,71 @@ func TestConfig(t *testing.T) {
 	})
 }
 
+func TestCreateSigner_UsesExternalID_WhenProvided(t *testing.T) {
+	for _, tc := range []struct {
+		authType string
+	}{
+		{authType: "default"},
+		{authType: "credentials"},
+		{authType: "keys"},
+		{authType: "ec2_iam_role"},
+		{authType: "grafana_assume_role"},
+	} {
+		t.Run(fmt.Sprintf("AuthType: %s", tc.authType), func(t *testing.T) {
+			// Capture the external ID passed into the AssumeRoleProvider
+			var capturedExternalID string
+			var signerCalled bool
+
+			// Mock stscreds.NewCredentials
+			newStsCreds = func(c client.ConfigProvider, arn string, optFns ...func(*stscreds.AssumeRoleProvider)) *credentials.Credentials {
+				provider := &stscreds.AssumeRoleProvider{}
+				for _, opt := range optFns {
+					opt(provider)
+				}
+				if provider.ExternalID != nil {
+					capturedExternalID = *provider.ExternalID
+				}
+				return credentials.NewStaticCredentials("mock-access", "mock-secret", "mock-token")
+			}
+
+			// Mock v4.NewSigner
+			newV4Signer = func(creds *credentials.Credentials, opts ...func(s *v4.Signer)) *v4.Signer {
+				signerCalled = true
+				return &v4.Signer{}
+			}
+
+			// Restore mocks
+			defer func() {
+				newStsCreds = stscreds.NewCredentials
+				newV4Signer = v4.NewSigner
+			}()
+
+			cfg := &Config{
+				Region:        "us-east-2",
+				AuthType:      tc.authType,
+				AssumeRoleARN: "arn:aws:iam::123456789:role/test-role",
+				ExternalID:    "external-id-123",
+			}
+
+			signer, err := createSigner(cfg, awsds.AuthSettings{
+				AllowedAuthProviders: []string{
+					"default",
+					"credentials",
+					"keys",
+					"ec2_iam_role",
+					"grafana_assume_role",
+				},
+				AssumeRoleEnabled: true,
+			}, false)
+
+			require.NoError(t, err)
+			require.NotNil(t, signer)
+			require.True(t, signerCalled)
+			require.Equal(t, "external-id-123", capturedExternalID)
+		})
+	}
+}
+
 type mockCredentialsProvider struct {
 	credentials.Provider
 	noCredentials bool

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@ import (`
`27`	`27`
`28`	`28`	`var (`
`29`	`29`	`signerCache sync.Map`
	`30`	`+ newStsCreds = stscreds.NewCredentials`
	`31`	`+ newV4Signer = v4.NewSigner`
`30`	`32`	`)`
`31`	`33`
`32`	`34`	`type middleware struct {`
`@@ -235,10 +237,10 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool`
`235`	`237`	`if err != nil {`
`236`	`238`	`return nil, err`
`237`	`239`	`}`
`238`		`- c = stscreds.NewCredentials(s, cfg.AssumeRoleARN)`
	`240`	`+ return getAssumeRoleSigner(s, cfg, signerOpts)`
`239`	`241`	`}`
`240`	`242`
`241`		`- return v4.NewSigner(c, signerOpts), nil`
	`243`	`+ return newV4Signer(c, signerOpts), nil`
`242`	`244`	`case awsds.AuthTypeDefault:`
`243`	`245`	`s, err := session.NewSession(&aws.Config{`
`244`	`246`	`Region: aws.String(cfg.Region),`
`@@ -248,10 +250,10 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool`
`248`	`250`	`}`
`249`	`251`
`250`	`252`	`if cfg.AssumeRoleARN != "" {`
`251`		`- return v4.NewSigner(stscreds.NewCredentials(s, cfg.AssumeRoleARN), signerOpts), nil`
	`253`	`+ return getAssumeRoleSigner(s, cfg, signerOpts)`
`252`	`254`	`}`
`253`	`255`
`254`		`- return v4.NewSigner(s.Config.Credentials, signerOpts), nil`
	`256`	`+ return newV4Signer(s.Config.Credentials, signerOpts), nil`
`255`	`257`	`default:`
`256`	`258`	`if cfg.AssumeRoleARN != "" {`
`257`	`259`	`s, err := session.NewSession(&aws.Config{`
`@@ -260,7 +262,7 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool`
`260`	`262`	`if err != nil {`
`261`	`263`	`return nil, err`
`262`	`264`	`}`
`263`		`- return v4.NewSigner(stscreds.NewCredentials(s, cfg.AssumeRoleARN), signerOpts), nil`
	`265`	`+ return getAssumeRoleSigner(s, cfg, signerOpts)`
`264`	`266`	`}`
`265`	`267`	`return nil, fmt.Errorf("invalid SigV4 auth type %q", authType)`
`266`	`268`	`}`
`@@ -273,10 +275,19 @@ func createSigner(cfg *Config, authSettings awsds.AuthSettings, verboseMode bool`
`273`	`275`	`if err != nil {`
`274`	`276`	`return nil, err`
`275`	`277`	`}`
`276`		`- return v4.NewSigner(stscreds.NewCredentials(s, cfg.AssumeRoleARN), signerOpts), nil`
	`278`	`+ return getAssumeRoleSigner(s, cfg, signerOpts)`
`277`	`279`	`}`
`278`	`280`
`279`		`- return v4.NewSigner(c, signerOpts), nil`
	`281`	`+ return newV4Signer(c, signerOpts), nil`
	`282`	`+}`
	`283`	`+`
	`284`	`+func getAssumeRoleSigner(s session.Session, cfg Config, signerOpts func(s v4.Signer)) (v4.Signer, error) {`
	`285`	`+ if cfg.ExternalID != "" {`
	`286`	`+ return newV4Signer(newStsCreds(s, cfg.AssumeRoleARN, func(p *stscreds.AssumeRoleProvider) {`
	`287`	`+ p.ExternalID = aws.String(cfg.ExternalID)`
	`288`	`+ }), signerOpts), nil`
	`289`	`+ }`
	`290`	`+ return newV4Signer(newStsCreds(s, cfg.AssumeRoleARN), signerOpts), nil`
`280`	`291`	`}`
`281`	`292`
`282`	`293`	`func copyHeaderWithoutOverwrite(dst, src http.Header) {`