Feature Request: config param IAM Role for cross-account

[JohnPreston]

Hello,

Kindly submitting a feature request that: add a configuration parameter such as aws.sts.role.arn which would instruct to use credentials retrieved with sts.AssumeRole in order to perform the secretsmanager.GetSecretValue API Call.

With that would come two other configuration items

aws.sts.session.name - string - required - allows setting a session name as defined in API Call
aws.sts.external.id - string - optional - externalId as defined in the API Call

Thank you :)

[sappusaketh]

@JohnPreston can you use service account with IAM role which has permissions to the secrets? I think that would load creds to env vars where DefaultAWSCredentialsProviderChain would be able to find them I guess

[pauls-baby]

@JohnPreston I have raised a PR.

#143

This may not be exactly the issue you raised. It is a fix to the issue with using the approach @sappusaketh suggested. Please check if this aligns with your requirement.

[JohnPreston]

Hello.
@sappusaketh my containers already inherit credentials in a way that allows the SDK to use them.
However, if my secret is in another account, I would either need to change the secret resource policy or have an IAM role in the other account that does have permission to retrieve the secret value.

Therefore, simply with having the two properties shown above, you would have

• SDK inherits container credentials from the chain
• SDK gets new session credentials after performing sts:AssumeRole on the role in the other account
• SDK uses the new session credentials to invoke secretsmanager:GetSecretValue()

@pauls-baby I don't see how this PR addresses this request, sorry :/

[pauls-baby]

@JohnPreston Sorry I misunderstood your requirement. I thought the secret was in same account. You're right if that's the case my PR won't solve it.