From e87173e38b9a1f2a7223fa47a5ead22ee9a8e0b5 Mon Sep 17 00:00:00 2001
From: Daniel Hill <dan@mamu.co>
Date: Mon, 18 Feb 2019 13:03:59 +0000
Subject: [PATCH]  add ability to assume role (#1)

---
 README.md |  4 +++-
 bin/check | 14 ++++++++++++++
 bin/in    | 14 ++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4c4014d..b420f02 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,9 @@ A Concourse CI resource to check for new Amazon Machine Images (AMI).
 
 - `aws_access_key_id`: Your AWS access key ID.
 
-- `aws_secret_access_key`: Your AWS secret access key. 
+- `aws_secret_access_key`: Your AWS secret access key.
+
+- `aws_role_arn`: ARN of a AWS IAM role to assume.
 
 - `region`: *Required.* The AWS region to search for AMIs.
 
diff --git a/bin/check b/bin/check
index 64dadfb..e583ae9 100755
--- a/bin/check
+++ b/bin/check
@@ -9,6 +9,20 @@ AMI=$(jq -r '.version.ami // empty' /tmp/input)
 export AWS_ACCESS_KEY_ID=$(jq -r '.source.aws_access_key_id // empty' /tmp/input)
 export AWS_SECRET_ACCESS_KEY=$(jq -r '.source.aws_secret_access_key // empty' /tmp/input)
 export AWS_DEFAULT_REGION=$(jq -r '.source.region // empty' /tmp/input)
+export AWS_ROLE_ARN=$(jq -r '.source.aws_role_arn // empty' /tmp/input)
+
+# if role arn has been provided, assume role
+if ! [ -z "$AWS_ROLE_ARN" ]; then
+    aws sts assume-role \
+      --duration 900 \
+      --role-arn $AWS_ROLE_ARN \
+      --role-session-name ci \
+      --output json \
+      > /tmp/session
+    export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' /tmp/session)
+    export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' /tmp/session)
+    export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' /tmp/session)
+fi
 
 # remove any empty credentials vars so the AWS client will try instance profiles
 if [ -z "$AWS_ACCESS_KEY_ID" ]; then
diff --git a/bin/in b/bin/in
index c5c57f4..3899009 100755
--- a/bin/in
+++ b/bin/in
@@ -11,6 +11,20 @@ AMI=$(jq -r '.version.ami // empty' /tmp/input)
 export AWS_ACCESS_KEY_ID=$(jq -r '.source.aws_access_key_id // empty' /tmp/input)
 export AWS_SECRET_ACCESS_KEY=$(jq -r '.source.aws_secret_access_key // empty' /tmp/input)
 export AWS_DEFAULT_REGION=$(jq -r '.source.region // empty' /tmp/input)
+export AWS_ROLE_ARN=$(jq -r '.source.aws_role_arn // empty' /tmp/input)
+
+# if role arn has been provided, assume role
+if ! [ -z "$AWS_ROLE_ARN" ]; then
+    aws sts assume-role \
+      --duration 900 \
+      --role-arn $AWS_ROLE_ARN \
+      --role-session-name ci \
+      --output json \
+      > /tmp/session
+    export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' /tmp/session)
+    export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' /tmp/session)
+    export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' /tmp/session)
+fi
 
 # remove any empty credentials vars so the AWS client will try instance profiles
 if [ -z "$AWS_ACCESS_KEY_ID" ]; then