How to set ExternalId when using AWSSDK.Extensions.NETCore.Setup

[ashishdhingra]

Discussed in #3284

^{Originally posted by douggish April 11, 2024}
I'm using AWSSDK.Extensions.NETCore.Setup for configuration and need to assume a role in certain cases for cross-account access. I currently have code similar to the following to create a client that assumes a role:

AWSOptions options = _configuration.GetAWSOptions<AmazonLambdaConfig>();
options.SessionRoleArn = roleArn;
options.SessionName = sessionName;

return options.CreateServiceClient<IAmazonLambda>();

However, I can't find how I can set the ExternalId to address the "confused deputy problem" documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html

I explored creating an AssumeRoleAWSCredentials instance manually (so I could set the AssumeRoleAWSCredentialsOptions myself) with the idea of setting the Credentials property of my AWSOptions object. However, the AssumeRoleAWSCredentials requires sourceCredentials, which I'm not sure how to get from my AWSOptions.

How can I assume a role with ExternalId set when using AWSSDK.Extensions.NETCore.Setup?

[ashishdhingra]

The possible fix would be to expose another public property SessionExternalId in AWSOptions. When using SessionRoleArn, the extensions library uses AssumeRoleAWSCredentials where we can pass AssumeRoleAWSCredentialsOptions.ExternalId in overloaded constructor.