hashicorp · Zlaticanin · Feb 24, 2025
@@ -460,6 +460,8 @@ const (
 	FieldEabKey                        = "key"
 	FieldAcmeDirectory                 = "acme_directory"
 	FieldEabId                         = "eab_id"
+	FieldAssumeRoleArn                 = "assume_role_arn"
+	FieldAssumeRoleSessionName         = "assume_role_session_name"
 
 	FieldDisableCriticalExtensionChecks = "disable_critical_extension_checks"
 	FieldDisablePathLengthChecks        = "disable_path_length_checks"

@@ -53,6 +53,21 @@ func awsSecretBackendStaticRoleResource() *schema.Resource {
 			Required:    true,
 			Description: "How often Vault should rotate the password of the user entry.",
 		},
+		consts.FieldAssumeRoleArn: {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "The ARN of the role to assume when managing the static role. This is required for cross-account role management. ",
+		},
+		consts.FieldAssumeRoleSessionName: {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "Session name to use when assuming the role.",
+		},
+		consts.FieldExternalID: {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "External ID to use when assuming the role.",
+		},
 	}
 	return &schema.Resource{
 		CreateContext: provider.MountCreateContextWrapper(createUpdateAWSStaticRoleResource, provider.VaultVersion114),
@@ -72,6 +87,12 @@ var awsSecretBackendStaticRoleFields = []string{
 	consts.FieldRotationPeriod,
 }
 
+var awsSecretBackendStaticAssumeRoleFields = []string{
+	consts.FieldAssumeRoleArn,
+	consts.FieldAssumeRoleSessionName,
+	consts.FieldExternalID,
+}
+
 // createUpdateAWSStaticRoleResources upserts an aws static-role to our vault instance.
 func createUpdateAWSStaticRoleResource(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, err := provider.GetClient(d, meta)
@@ -90,6 +111,15 @@ func createUpdateAWSStaticRoleResource(ctx context.Context, d *schema.ResourceDa
 		}
 	}
 
+	useAPIVer119Ent := provider.IsAPISupported(meta, provider.VaultVersion119) && provider.IsEnterpriseSupported(meta)
+	if useAPIVer119Ent {
+		for _, field := range awsSecretBackendStaticAssumeRoleFields {
+			if v, ok := d.GetOk(field); ok {
+				data[field] = v
+			}
+		}
+	}
+
 	if _, err := client.Logical().WriteWithContext(ctx, rolePath, data); err != nil {
 		return diag.FromErr(fmt.Errorf("error writing %q: %s", rolePath, err))
 	}
@@ -135,6 +165,17 @@ func readAWSStaticRoleResource(ctx context.Context, d *schema.ResourceData, meta
 		}
 	}
 
+	useAPIVer119Ent := provider.IsAPISupported(meta, provider.VaultVersion119) && provider.IsEnterpriseSupported(meta)
+	if useAPIVer119Ent {
+		for _, field := range awsSecretBackendStaticAssumeRoleFields {
+			if val, ok := resp.Data[field]; ok {
+				if err := d.Set(field, val); err != nil {
+					return diag.FromErr(fmt.Errorf("error setting state key '%s': %s", field, err))
+				}
+			}
+		}
+	}
+
 	return nil
 }
 

@@ -28,7 +28,7 @@ func TestAccAWSSecretBackendStaticRole(t *testing.T) {
 		ProviderFactories: providerFactories,
 		Steps: []resource.TestStep{
 			{
-				Config: testAWSStaticReourceConfig(mount, a, s, username),
+				Config: testAWSStaticResourceConfig(mount, a, s, username),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, consts.FieldName, "test"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldUsername, "vault-static-roles-test"),
@@ -40,6 +40,35 @@ func TestAccAWSSecretBackendStaticRole(t *testing.T) {
 	})
 }
 
+func TestAccAWSSecretBackendStaticAssumeRole(t *testing.T) {
+	mount := acctest.RandomWithPrefix("tf-aws-static")
+	a, s := testutil.GetTestAWSCreds(t)
+	resourceName := "vault_aws_secret_backend_static_role.role"
+	username := testutil.SkipTestEnvUnset(t, "AWS_STATIC_USER")[0]
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion119)
+		},
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAWSStaticAssumeResourceConfig(mount, a, s, username),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, consts.FieldName, "test"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldUsername, "VaultEcoTestUserTwo"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldRotationPeriod, "3600"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldAssumeRoleArn, "arn:aws:iam::501359222269:role/VaultEcoTestUserTwo"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldAssumeRoleSessionName, "test-session"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldExternalID, "test-external-id"),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil),
+		},
+	})
+}
+
 // TestAWSPathMatching tests the regular expression (and supporting function) that parses paths into backends and role names
 func TestAWSPathMatching(t *testing.T) {
 	cases := []struct {
@@ -124,6 +153,30 @@ resource "vault_aws_secret_backend_static_role" "role" {
   rotation_period = "3600"
 }`
 
-func testAWSStaticReourceConfig(mount, access, secret, username string) string {
+const testAWSStaticAssumeResource = `
+resource "vault_aws_secret_backend" "aws" {
+  path = "%s"
+  description = "Obtain AWS credentials." 
+  iam_endpoint="https://iam.amazonaws.com" 
+  sts_endpoint="https://sts.amazonaws.com" 
+  access_key = "%s"
+  secret_key = "%s"
+}
+
+resource "vault_aws_secret_backend_static_role" "role" {
+  backend = vault_aws_secret_backend.aws.path
+  name = "test"
+  username = "%s"
+  assume_role_arn = "arn:aws:iam::501359222269:role/VaultEcoTestUserTwo"
+  assume_role_session_name = "test-session"
+  external_id = "test-external-id"
+  rotation_period = "3600"
+}`
+
+func testAWSStaticResourceConfig(mount, access, secret, username string) string {
 	return fmt.Sprintf(testAWSStaticResource, mount, access, secret, username)
 }
+
+func testAWSStaticAssumeResourceConfig(mount, access, secret, username string) string {
+	return fmt.Sprintf(testAWSStaticAssumeResource, mount, access, secret, username)
+}
@@ -34,6 +34,24 @@ resource "vault_aws_secret_backend_static_role" "role" {
 }
 ```
 
+```hcl
+
+resource "vault_aws_secret_backend" "aws" {
+  path = "my-aws"
+  description = "Obtain AWS credentials."
+}
+
+resource "vault_aws_secret_backend_static_role" "assume-role" {
+  backend = vault_aws_secret_backend.aws.path
+  name = "assume-role-test"
+  username = "my-assume-role-user"
+  assume_role_arn = "arn:aws:iam::123456789012:role/assume-role"
+  assume_role_session_name = "assume-role-session"
+  external_id = "test-id"
+  rotation_period = "3600"
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -53,6 +71,18 @@ The following arguments are supported:
 
 * `rotation_period` - (Required) How often Vault should rotate the password of the user entry.
 
+* `assume_role_arn` - (Optional) Specifies the ARN of the role that Vault should assume.
+  When provided, Vault will use AWS STS to assume this role and generate temporary credentials.
+  If `assume_role_arn` is provided, `assume_role_session_name` must also be provided.
+  Requires Vault 1.19+. *Available only for Vault Enterprise*.
+
+* `assume_role_session_name` - (Optional) Specifies the session name to use when assuming the role.
+  If `assume_role_session_name` is provided, `assume_role_arn` must also be provided.
+    Requires Vault 1.19+. *Available only for Vault Enterprise*.
+
+* `external_id` - (Optional) Specifies the external ID to use when assuming the role.
+  Requires Vault 1.19+. *Available only for Vault Enterprise*.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.