Allow users to provide a policy document or policies ARNs to AssumeRoleProvider builder

[albe-rosado]

Describe the feature

I would be great if an user could provide an IAM policy document and/or a list of policy ARNs to the AssumeRoleProvider builder, this allow users to dynamically add IAM policies to the IAM role it wishes to assume, without having to explicitly use the STS client to assume the role which the desired policies and then build a custom credential provider from the credentials of the assumed role.

Use Case

A user who wishes to create a dynamo db client (for example) with fine-grained control, using a certain IAM policy(s) could just use the AssumeRoleProvider credential provider in the following way:

let tenant_id = "890".to_string();
let simple_policy_doc: String = "
{	
\"Version\": \"2012-10-17\",
  \"Statement\": [
      {
          \"Effect\": \"Allow\",
          \"Action\": [
              \"dynamodb:GetItem\",
          ],
          \"Resource\": [
              \"arn:aws:dynamodb:us-east-1:123:table/Product-Pooled-Sharded\"
          ],
          \"Condition\": {
              \"ForAllValues:StringLike\": {
                  \"dynamodb:LeadingKeys\": [
                      \"{TENANTID}-*\"
                  ]
              }
          }
      }
  ]
}
".to_string().replace("{TENANTID}", tenant_id);

let cred_provider = AssumeRoleProvider::builder("arn:aws:iam::123::role/example")
     .session_name("name")
     // inline policy document as string
     .policy(simple_policy_doc)
     //  list of policies arns
     //.policy_arns(["arn:aws:iam::123::policy/mycustompolicy"])
     .build(Arc::new(EnvironmentVariableCredentialsProvider::new()) as Arc<_>);
 let sdk_config = aws_config::load_from_env().await;
 let dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
     .credentials_provider(custom_credentials_provider)
     .build();
 // this client will be scoped to what is allowed by the policy.
 let client = aws_sdk_dynamodb::Client::from_conf(&dynamo_config);

currently, to achieve what is described above the user have to make an assume_role request using the sts client, and then implement their own custom credential provider, which will be used when creating the dynamodb (in this example) client configuration.

Proposed Solution

Include a set_policy and/or set_policy_arns methods in the AssumeRoleProvider builder, similarly how is done in the sts client

Other Information

Let me know if I should provide a correct/more concise example, or if there is anything else I can add to make the request more clear.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

A note for the community

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue, please leave a comment

[jdisanti]

I think this is a duplicate of #509, but that is tracking a more difficult to implement long term solution for this (where the fields would automatically get added when the STS model is updated).

If you want to submit a PR to add these methods to the builder, you're welcome to.

[albe-rosado]

Thanks for the quick response! I will submit a PR soon.

[jdisanti]

This was included in release-2022-12-14.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.