Skip to content

[8.19](backport #48956) Use combined External ID for AWS cloud connectors AssumeRole#50169

Merged
olegsu merged 1 commit into8.19from
mergify/bp/8.19/pr-48956
Apr 16, 2026
Merged

[8.19](backport #48956) Use combined External ID for AWS cloud connectors AssumeRole#50169
olegsu merged 1 commit into8.19from
mergify/bp/8.19/pr-48956

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify Bot commented Apr 16, 2026

Summary

This change updates the AWS cloud connectors credential flow in libbeat so that the AssumeRole step uses a combined External ID built from the cloud resource ID and the configured external ID: CloudConnectorsExternalID(resourceID, externalIDPart) returns resourceID-externalIDPart. This allows the remote (customer) role trust policy to scope access by resource while still using the configured external ID. The credential chain is unchanged: assume the Elastic global role with web identity (OIDC token), then assume the configured role with the new External ID and optional expiry window. Tests are updated to assert the new External ID format and a unit test is added for CloudConnectorsExternalID.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

This is an automatic backport of pull request #48956 done by [Mergify](https://mergify.com).

@amirbenun @mergify
Use combined External ID for AWS cloud connectors AssumeRole (#48956)
81c57f2 
This change updates the AWS cloud connectors credential flow in libbeat so that the AssumeRole step uses a combined External ID built from the cloud resource ID and the configured external ID: `CloudConnectorsExternalID(resourceID, externalIDPart)` returns `resourceID-externalIDPart`. This allows the remote (customer) role trust policy to scope access by resource while still using the configured external ID. The credential chain is unchanged: assume the Elastic global role with web identity (OIDC token), then assume the configured role with the new External ID and optional expiry window. Tests are updated to assert the new External ID format and a unit test is added for `CloudConnectorsExternalID`.

(cherry picked from commit f909d4f)

# Conflicts:
#	x-pack/libbeat/common/aws/cloud_connectors.go
#	x-pack/libbeat/common/aws/cloud_connectors_test.go
@mergify mergify Bot requested a review from a team as a code owner April 16, 2026 18:03
@mergify mergify Bot added backport conflicts There is a conflict in the backported pull request labels Apr 16, 2026
@mergify
Copy link
Copy Markdown
Contributor Author

mergify Bot commented Apr 16, 2026

Cherry-pick of f909d4f has failed:

On branch mergify/bp/8.19/pr-48956
Your branch is up to date with 'origin/8.19'.

You are currently cherry-picking commit f909d4fb7.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   x-pack/libbeat/common/aws/cloud_connectors.go
	deleted by us:   x-pack/libbeat/common/aws/cloud_connectors_test.go

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@mergify mergify Bot requested review from AndersonQ and VihasMakwana and removed request for a team April 16, 2026 18:03
@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 16, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 16, 2026

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@mergify mergify Bot mentioned this pull request Apr 16, 2026
Merged
6 tasks
@olegsu olegsu merged commit 2727e45 into 8.19 Apr 16, 2026
119 checks passed
@olegsu olegsu deleted the mergify/bp/8.19/pr-48956 branch April 16, 2026 20:34
@olegsu
Copy link
Copy Markdown

olegsu commented Apr 17, 2026

More context: #49956

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olegsu olegsu olegsu approved these changes

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ is a code owner automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

No one assigned

Labels

backport conflicts There is a conflict in the backported pull request libbeat skip-changelog Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elasticmachine @olegsu @amirbenun