Allow user to set `policy` and `policy_arns` in `WebIdentityTokenCredentialsProvider` builder (#3506)

Related PR: https://github.com/smithy-lang/smithy-rs/pull/1892/ ## Motivation and Context This change allows users to define inline IAM policies and/or set predefined policies (using their ARNs) with `WebIdentityTokenCredentialsProvider` ## Description Adds `policy` and `policy_arns` to `WebIdentityTokenCredentialsProvider` builder. ## Testing ## Checklist  - [x] I have updated `CHANGELOG.next.toml` if I made changes to the smithy-rs codegen or runtime crates - [x] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._ --------- Co-authored-by: ysaito1001 <awsaito@amazon.com>
2024-04-02 19:09:27 +02:00 · 2024-04-02 19:09:27 +02:00 · d37ac94ad9
parent 88405d6383
commit d37ac94ad9
2 changed files with 45 additions and 1 deletions
--- a/CHANGELOG.next.toml
+++ b/CHANGELOG.next.toml
@ -11,6 +11,12 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"

+[[aws-sdk-rust]]
+message = "Ability to add an inline policy or a list of policy ARNs to the `WebIdentityTokenCredentialsProvider` builder."
+references = ["smithy-rs#3506"]
+meta = { "breaking" = false, "tada" = true, "bug" = false }
+author = "mokhaled2992"
+
 [[aws-sdk-rust]]
 message = "Make `BehaviorVersion` be future-proof by disallowing it to be constructed via the `BehaviorVersion {}` syntax."
 references = ["aws-sdk-rust#1111", "smithy-rs#3513"]
--- a/aws/rust-runtime/aws-config/src/web_identity_token.rs
+++ b/aws/rust-runtime/aws-config/src/web_identity_token.rs
@ -64,10 +64,11 @@
 use crate::provider_config::ProviderConfig;
 use crate::sts;
 use aws_credential_types::provider::{self, error::CredentialsError, future, ProvideCredentials};
-use aws_sdk_sts::Client as StsClient;
+use aws_sdk_sts::{types::PolicyDescriptorType, Client as StsClient};
 use aws_smithy_async::time::SharedTimeSource;
 use aws_smithy_types::error::display::DisplayErrorContext;
 use aws_types::os_shim_internal::{Env, Fs};
+
 use std::borrow::Cow;
 use std::path::{Path, PathBuf};

@ -84,6 +85,8 @@ pub struct WebIdentityTokenCredentialsProvider {
    time_source: SharedTimeSource,
    fs: Fs,
    sts_client: StsClient,
+    policy: Option<String>,
+    policy_arns: Option<Vec<PolicyDescriptorType>>,
 }

 impl WebIdentityTokenCredentialsProvider {
@ -150,6 +153,8 @@ impl WebIdentityTokenCredentialsProvider {
        load_credentials(
            &self.fs,
            &self.sts_client,
+            self.policy.clone(),
+            self.policy_arns.clone(),
            &conf.web_identity_token_file,
            &conf.role_arn,
            &conf.session_name,
@ -163,6 +168,8 @@ impl WebIdentityTokenCredentialsProvider {
 pub struct Builder {
    source: Option<Source>,
    config: Option<ProviderConfig>,
+    policy: Option<String>,
+    policy_arns: Option<Vec<PolicyDescriptorType>>,
 }

 impl Builder {
@ -193,6 +200,31 @@ impl Builder {
        self
    }

+    /// Set an IAM policy in JSON format that you want to use as an inline session policy.
+    ///
+    /// This parameter is optional
+    /// For more information, see
+    /// [policy](aws_sdk_sts::operation::assume_role::builders::AssumeRoleInputBuilder::policy_arns)
+    pub fn policy(mut self, policy: impl Into<String>) -> Self {
+        self.policy = Some(policy.into());
+        self
+    }
+
+    /// Set the Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies.
+    ///
+    /// This parameter is optional.
+    /// For more information, see
+    /// [policy_arns](aws_sdk_sts::operation::assume_role::builders::AssumeRoleInputBuilder::policy_arns)
+    pub fn policy_arns(mut self, policy_arns: Vec<String>) -> Self {
+        self.policy_arns = Some(
+            policy_arns
+                .into_iter()
+                .map(|arn| PolicyDescriptorType::builder().arn(arn).build())
+                .collect::<Vec<_>>(),
+        );
+        self
+    }
+
    /// Build a [`WebIdentityTokenCredentialsProvider`]
    ///
    /// ## Panics
@ -206,6 +238,8 @@ impl Builder {
            fs: conf.fs(),
            sts_client: StsClient::new(&conf.client_config()),
            time_source: conf.time_source(),
+            policy: self.policy,
+            policy_arns: self.policy_arns,
        }
    }
 }
@ -213,6 +247,8 @@ impl Builder {
 async fn load_credentials(
    fs: &Fs,
    sts_client: &StsClient,
+    policy: Option<String>,
+    policy_arns: Option<Vec<PolicyDescriptorType>>,
    token_file: impl AsRef<Path>,
    role_arn: &str,
    session_name: &str,
@ -228,6 +264,8 @@ async fn load_credentials(
    let resp = sts_client.assume_role_with_web_identity()
        .role_arn(role_arn)
        .role_session_name(session_name)
+        .set_policy(policy)
+        .set_policy_arns(policy_arns)
        .web_identity_token(token)
        .send()
        .await