pass nil function for auth/aws when no externalID supplied (#27858)

hashicorp · Jul 26, 2024 · 32fdae0 · 32fdae0
1 parent 5787fa2
commit 32fdae0
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/builtin/credential/aws/client.go b/builtin/credential/aws/client.go
@@ -9,6 +9,8 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/aws/aws-sdk-go/aws/credentials"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -130,7 +132,12 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
 		if err != nil {
 			return nil, err
 		}
-		assumedCredentials := stscreds.NewCredentials(sess, stsRole, func(p *stscreds.AssumeRoleProvider) { p.ExternalID = aws.String(externalID) })
+		var assumedCredentials *credentials.Credentials
+		if externalID != "" {
+			assumedCredentials = stscreds.NewCredentials(sess, stsRole, func(p *stscreds.AssumeRoleProvider) { p.ExternalID = aws.String(externalID) })
+		} else {
+			assumedCredentials = stscreds.NewCredentials(sess, stsRole)
+		}
 		// Test that we actually have permissions to assume the role
 		if _, err = assumedCredentials.Get(); err != nil {
 			return nil, err

diff --git a/changelog/27858.txt b/changelog/27858.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/aws: fixes an issue where not supplying an external id was interpreted as an empty external id
+```