feat: support external IDs when assuming a role with a custom resource

Signed-off-by: Stephen Crowe <[email protected]>

Author: crowecawcaw

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/aws-custom-resource/integ.cross-account-assumeRole.js.snapshot/cross-account-opt-in-stack.template.json

@@ -75,7 +75,7 @@
    "Properties": {
     "Code": {
      "S3Bucket": "cdk-hnb659fds-assets-234567890123-af-south-1",
-     "S3Key": "746da84b10e215c552e68b6d2061024e4429f0386f43a35ef5e4d2940655692e.zip"
+     "S3Key": "e6691dc6014ee9cc203ede754a4dbd33c0a6f12909a8bedd9fdd630d3f545154.zip"
     },
     "Handler": "index.handler",
     "Role": {

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/aws-custom-resource/integ.cross-account-assumeRole.js.snapshot/cross-account-stack.template.json

@@ -9,7 +9,7 @@
       "Arn"
      ]
     },
-    "Create": "{\"assumedRoleArn\":\"arn:aws:iam::12345678:role/MyUniqueRole\",\"service\":\"@aws-sdk/client-sts\",\"action\":\"GetCallerIdentityCommand\",\"physicalResourceId\":{\"id\":\"id\"}}",
+    "Create": "{\"assumedRoleArn\":\"arn:aws:iam::12345678:role/MyUniqueRole\",\"assumedRoleExternalId\":\"external-id-1234\",\"service\":\"@aws-sdk/client-sts\",\"action\":\"GetCallerIdentityCommand\",\"physicalResourceId\":{\"id\":\"id\"}}",
     "InstallLatestAwsSdk": false
    },
    "DependsOn": [
@@ -75,7 +75,7 @@
    "Properties": {
     "Code": {
      "S3Bucket": "cdk-hnb659fds-assets-234567890123-us-east-1",
-     "S3Key": "746da84b10e215c552e68b6d2061024e4429f0386f43a35ef5e4d2940655692e.zip"
+     "S3Key": "e6691dc6014ee9cc203ede754a4dbd33c0a6f12909a8bedd9fdd630d3f545154.zip"
     },
     "Handler": "index.handler",
     "Role": {

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/aws-custom-resource/integ.cross-account-assumeRole.js.snapshot/role-stack.template.json

@@ -7,6 +7,11 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
+       "Condition": {
+        "StringEquals": {
+         "sts:ExternalId": "external-id-1234"
+        }
+       },
        "Effect": "Allow",
        "Principal": {
         "AWS": "arn:aws:iam::234567890123:root"

packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/aws-custom-resource/integ.cross-account-assumeRole.ts

@@ -58,9 +58,11 @@ const crossAccountOptInStack = new cdk.Stack(app, 'cross-account-opt-in-stack',
 
 const roleName = 'MyUniqueRole';
 
+const assumedRoleExternalId = 'external-id-1234';
 new iam.Role(roleStack, 'AssumeThisRole', {
   roleName: roleName,
   assumedBy: new iam.AccountPrincipal(crossAccount),
+  externalIds: [assumedRoleExternalId],
 });
 
 const assumedRoleArn = cdk.Stack.of(crossAccountStack).formatArn({
@@ -75,6 +77,7 @@ new AwsCustomResource(crossAccountStack, 'CrossAccountCR', {
   installLatestAwsSdk: false,
   onCreate: {
     assumedRoleArn: assumedRoleArn,
+    assumedRoleExternalId: assumedRoleExternalId,
     service: '@aws-sdk/client-sts',
     action: 'GetCallerIdentityCommand',
     physicalResourceId: PhysicalResourceId.of('id'),

packages/@aws-cdk/custom-resource-handlers/lib/custom-resources/aws-custom-resource-handler/construct-types.ts

@@ -21,5 +21,6 @@ export interface AwsSdkCall {
   readonly outputPath?: string;
   readonly outputPaths?: string[];
   readonly assumedRoleArn?: string;
+  readonly assumedRoleExternalId?: string;
   readonly logApiResponseData?: boolean;
 }

packages/@aws-cdk/custom-resource-handlers/lib/custom-resources/aws-custom-resource-handler/utils.ts

@@ -103,11 +103,15 @@ export async function getCredentials(call: AwsSdkCall, physicalResourceId: strin
   if (call.assumedRoleArn) {
     const timestamp = (new Date()).getTime();
 
-    const params = {
+    const params:{RoleArn: string; RoleSessionName: string; ExternalId?: string} = {
       RoleArn: call.assumedRoleArn,
       RoleSessionName: `${timestamp}-${physicalResourceId}`.substring(0, 64),
     };
 
+    if (call.assumedRoleExternalId) {
+      params.ExternalId = call.assumedRoleExternalId;
+    }
+
     const { fromTemporaryCredentials } = await import('@aws-sdk/credential-providers');
     credentials = fromTemporaryCredentials({
       params,

packages/@aws-cdk/custom-resource-handlers/test/custom-resources/aws-custom-resource/aws-sdk-v3-handler.test.ts

@@ -610,6 +610,7 @@ test('SDK credentials are not persisted across subsequent invocations', async ()
         service: '@aws-sdk/client-s3',
         action: 'GetObjectCommand',
         assumedRoleArn: 'arn:aws:iam::123456789012:role/CoolRole',
+        assumedRoleExternalId: 'external-id-1234',
         parameters: {
           Bucket: 'foo',
           Key: 'bar',
@@ -622,7 +623,12 @@ test('SDK credentials are not persisted across subsequent invocations', async ()
     ServiceToken: 'serviceToken',
     StackId: 'stackId',
   }, {} as AWSLambda.Context);
-  expect(credentialProviderMock).toHaveBeenCalled();
+  expect(credentialProviderMock).toHaveBeenCalledWith(
+    expect.objectContaining({
+      RoleArn: 'arn:aws:iam::123456789012:role/CoolRole',
+      ExternalId: 'external-id-1234',
+    }),
+  );
   credentialProviderMock.mockClear();
 
   await handler({

packages/aws-cdk-lib/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts

@@ -189,6 +189,14 @@ export interface AwsSdkCall {
    */
   readonly assumedRoleArn?: string;
 
+  /**
+   * When assumedRoleArn is also specified, this external ID is used while assuming
+   * the role.
+   *
+   * @default - assume role without using an external ID
+   */
+  readonly assumedRoleExternalId?: string;
+
   /**
    * A property used to configure logging during lambda function execution.
    *