This is an automated email from the ASF dual-hosted git repository.
stevel pushed a commit to branch branch-3.4.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.4.1 by this push:
new 87d9bb60229 HADOOP-19201. S3A. Support external-id in assume role
(#6876)
87d9bb60229 is described below
commit 87d9bb602290063f324ca09702bb030bd3fbbba6
Author: Smith Cruise <chendingch...@126.com>
AuthorDate: Tue Sep 10 22:38:32 2024 +0800
HADOOP-19201. S3A. Support external-id in assume role (#6876)
The option fs.s3a.assumed.role.external.id sets the
external id for calls of AssumeRole to the STS service
Contributed by Smith Cruise
---
.../src/main/java/org/apache/hadoop/fs/s3a/Constants.java | 5 +++++
.../apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java | 5 +++++
.../src/site/markdown/tools/hadoop-aws/assumed_roles.md | 8 ++++++++
3 files changed, 18 insertions(+)
diff --git
a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
index 5ce1b49864a..7e614bc11d6 100644
---
a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
+++
b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
@@ -94,6 +94,11 @@ public final class Constants {
public static final String ASSUMED_ROLE_ARN =
"fs.s3a.assumed.role.arn";
+ /**
+ * external id for assume role request: {@value}.
+ */
+ public static final String ASSUMED_ROLE_EXTERNAL_ID =
"fs.s3a.assumed.role.external.id";
+
/**
* Session name for the assumed role, must be valid characters according
* to the AWS APIs: {@value}.
diff --git
a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
index c2ac8fe4c81..ce20684feca 100644
---
a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
+++
b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
@@ -125,6 +125,7 @@ public final class AssumedRoleCredentialProvider implements
AwsCredentialsProvid
duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
+ String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
LOG.debug("{}", this);
@@ -132,6 +133,10 @@ public final class AssumedRoleCredentialProvider
implements AwsCredentialsProvid
AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
.durationSeconds((int) duration);
+ if (StringUtils.isNotEmpty(externalId)) {
+ requestBuilder.externalId(externalId);
+ }
+
if (StringUtils.isNotEmpty(policy)) {
LOG.debug("Scope down policy {}", policy);
requestBuilder.policy(policy);
diff --git
a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
index 065a757f217..ba1bc4b362c 100644
---
a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
+++
b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
@@ -153,6 +153,14 @@ Here are the full set of configuration options.
</description>
</property>
+<property>
+ <name>fs.s3a.assumed.role.external.id</name>
+ <value>arbitrary value, specific by user in AWS console</value>
+ <description>
+ External id for assumed role, it's an optional configuration.
"https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/";
+ </description>
+</property>
+
<property>
<name>fs.s3a.assumed.role.policy</name>
<value/>
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org
