fleet/server/aws_common/aws_common.go

// Package aws_common contains common functionality used
// by packages that use AWS features (kinesis, firehose, ses, lambda, s3)
package aws_common

import (
	"context"
	"fmt"

	"github.com/aws/aws-sdk-go-v2/aws"
	aws_config "github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
	"github.com/aws/aws-sdk-go-v2/service/sts"
)

// ConfigureAssumeRoleProvider configures the credential provider with a "Assume Role"
// provider and returns a new aws.Config.
//
// It overrides any aws_config.WithCredentialsProvider set in opts.
func ConfigureAssumeRoleProvider(
	conf aws.Config,
	opts []func(*aws_config.LoadOptions) error,
	stsAssumeRoleARN,
	stsExternalID string,
) (aws.Config, error) {
	stsClient := sts.NewFromConfig(conf)
	credsProvider := stscreds.NewAssumeRoleProvider(stsClient, stsAssumeRoleARN, func(r *stscreds.AssumeRoleOptions) {
		if stsExternalID != "" {
			r.ExternalID = &stsExternalID
		}
	})
	// Overrides any previous aws_config.WithCredentialsProvider set in opts.
	opts = append(opts,
		aws_config.WithCredentialsProvider(credsProvider),
	)
	conf, err := aws_config.LoadDefaultConfig(context.Background(), opts...)
	if err != nil {
		return aws.Config{}, fmt.Errorf("failed to create default config with sts assume role: %w", err)
	}
	return conf, nil
}
Fix STS assume role in `aws-sdk-go` v2 (#30699) Fix unreleased bug #30693. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Documentation * Updated testing documentation to include a missing command for creating the Firehose delivery stream for "status" logs. * Refactor * Centralized AWS STS Assume Role credential configuration across multiple AWS integrations (S3, Firehose, Kinesis, Lambda, SES) to use a shared helper, improving maintainability and consistency. * Removed deprecated inline credential configuration logic in favor of the new centralized approach. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-10 16:00:27 +00:00			`// Package aws_common contains common functionality used`
			`// by packages that use AWS features (kinesis, firehose, ses, lambda, s3)`
			`package aws_common`

			`import (`
			`"context"`
			`"fmt"`

			`"github.com/aws/aws-sdk-go-v2/aws"`
			`aws_config "github.com/aws/aws-sdk-go-v2/config"`
			`"github.com/aws/aws-sdk-go-v2/credentials/stscreds"`
			`"github.com/aws/aws-sdk-go-v2/service/sts"`
			`)`

			`// ConfigureAssumeRoleProvider configures the credential provider with a "Assume Role"`
			`// provider and returns a new aws.Config.`
			`//`
			`// It overrides any aws_config.WithCredentialsProvider set in opts.`
			`func ConfigureAssumeRoleProvider(`
			`conf aws.Config,`
			`opts []func(*aws_config.LoadOptions) error,`
			`stsAssumeRoleARN,`
			`stsExternalID string,`
			`) (aws.Config, error) {`
			`stsClient := sts.NewFromConfig(conf)`
			`credsProvider := stscreds.NewAssumeRoleProvider(stsClient, stsAssumeRoleARN, func(r *stscreds.AssumeRoleOptions) {`
			`if stsExternalID != "" {`
			`r.ExternalID = &stsExternalID`
			`}`
			`})`
			`// Overrides any previous aws_config.WithCredentialsProvider set in opts.`
			`opts = append(opts,`
			`aws_config.WithCredentialsProvider(credsProvider),`
			`)`
			`conf, err := aws_config.LoadDefaultConfig(context.Background(), opts...)`
			`if err != nil {`
			`return aws.Config{}, fmt.Errorf("failed to create default config with sts assume role: %w", err)`
			`}`
			`return conf, nil`
			`}`