Update Cognito/STS code to support optional session policies (#3)

* snapshot: block out tool to derive creds from cognito * snapshot: derive credentials, not sure anything works though * rename aws-sts-credentials as aws-cognito-credentials * snapshot: add cmd/aws-credentials-json-to-ini * add docs for cognito and credentials json-to-ini stuff * snapshot: add hooks to assign session policies * update cognito/sts code to support optional session policies --------- Co-authored-by: sfomuseumbot <sfomuseumbot@localhost>
aaronland · Jan 25, 2024 · e41b4a2 · e41b4a2
1 parent 9e77da2
commit e41b4a2
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -36,6 +36,8 @@ Usage of ./bin/aws-cognito-credentials:
     	A valid AWS IAM role ARN to assign to STS credentials.
   -role-session-name string
     	An identifier for the assumed role session.
+  -session-policy value
+    	Zero or more IAM ARNs to use as session policies to supplement the default role ARN.	
 ```
 
 For example:

diff --git a/cmd/aws-cognito-credentials/main.go b/cmd/aws-cognito-credentials/main.go
@@ -22,15 +22,17 @@ func main() {
 	var duration int
 
 	var kv_logins multi.KeyValueString
-
+	var session_policies multi.MultiString
+
 	flag.StringVar(&aws_config_uri, "aws-config-uri", "", "A valid github.com/aaronland/go-aws-auth.Config URI.")
 
 	flag.StringVar(&identity_pool_id, "identity-pool-id", "", "A valid AWS Cognito Identity Pool ID.")
 	flag.StringVar(&role_arn, "role-arn", "", "A valid AWS IAM role ARN to assign to STS credentials.")
 	flag.StringVar(&role_session_name, "role-session-name", "", "An identifier for the assumed role session.")
 	flag.IntVar(&duration, "duration", 900, "The duration, in seconds, of the role session. Can not be less than 900.") // Note: Can not be less than 900
 	flag.Var(&kv_logins, "login", "One or more key=value strings mapping to AWS Cognito authentication providers.")
-
+	flag.Var(&session_policies, "session-policy", "Zero or more IAM ARNs to use as session policies to supplement the default role ARN.")
+
 	flag.Parse()
 
 	ctx := context.Background()
@@ -53,6 +55,7 @@ func main() {
 		Duration:        int32(duration),
 		IdentityPoolId:  identity_pool_id,
 		Logins:          logins,
+		Policies: session_policies,
 	}
 
 	creds, err := auth.STSCredentialsForDeveloperIdentity(ctx, cfg, opts)

diff --git a/cognito.go b/cognito.go
@@ -22,6 +22,8 @@ type STSCredentialsForDeveloperIdentityOptions struct {
 	RoleSessionName string
 	// The duration, in seconds, of the role session.
 	Duration int32
+	// An optional list of Amazon Resource Names (ARNs)  that you want to use as managed session policies.
+	Policies []string
 }
 
 // STSCredentialsForDeveloperIdentity generate temporary STS (AWS) credentials for a developer identity.
@@ -52,6 +54,25 @@ func STSCredentialsForDeveloperIdentity(ctx context.Context, aws_cfg aws.Config,
 		DurationSeconds:  aws.Int32(opts.Duration),
 	}
 
+	// https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts#AssumeRoleWithWebIdentityInput
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+
+	if len(opts.Policies) > 0 {
+
+		session_policies := make([]types.PolicyDescriptorType, len(opts.Policies))
+
+		for idx, arn := range opts.Policies {
+
+			session_policies[idx] = types.PolicyDescriptorType{
+				Arn: aws.String(arn),
+			}
+		}
+
+		creds_opts.PolicyArns = session_policies
+	}
+
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+
 	creds_rsp, err := sts_client.AssumeRoleWithWebIdentity(ctx, creds_opts)
 
 	if err != nil {