aws · ashishdhingra · Jun 4, 2024 · Jun 3, 2024
diff --git a/extensions/src/AWSSDK.Extensions.NETCore.Setup/AWSOptions.cs b/extensions/src/AWSSDK.Extensions.NETCore.Setup/AWSOptions.cs
@@ -59,6 +59,11 @@ public class AWSOptions
         /// </summary>
         public string SessionName { get; set; } = "DefaultSessionName";
 
+        /// <summary>
+        /// A unique identifier that is used by third parties for the assumed session using the SessionRoleArn.
+        /// </summary>
+        public string ExternalId { get; set; }
+
         /// <summary>
         /// AWS Credentials used for creating service clients. If this is set it overrides the Profile property.
         /// </summary>

diff --git a/extensions/src/AWSSDK.Extensions.NETCore.Setup/AWSSDK.Extensions.NETCore.Setup.nuspec b/extensions/src/AWSSDK.Extensions.NETCore.Setup/AWSSDK.Extensions.NETCore.Setup.nuspec
@@ -3,7 +3,7 @@
   <metadata> 
     <id>AWSSDK.Extensions.NETCore.Setup</id>
     <title>AWSSDK - Extensions for NETCore Setup</title>
-    <version>3.7.300</version>
+    <version>3.7.301</version>
     <authors>Amazon Web Services</authors>
     <description>Extensions for the AWS SDK for .NET to integrate with .NET Core configuration and dependency injection frameworks.</description>
     <language>en-US</language>

diff --git a/extensions/src/AWSSDK.Extensions.NETCore.Setup/ClientFactory.cs b/extensions/src/AWSSDK.Extensions.NETCore.Setup/ClientFactory.cs
@@ -86,7 +86,14 @@ internal static IAmazonService CreateServiceClient(ILogger logger, Type serviceI
 
             if (!string.IsNullOrEmpty(options?.SessionRoleArn))
             {
-                credentials = new AssumeRoleAWSCredentials(credentials, options.SessionRoleArn, options.SessionName);
+                if (string.IsNullOrEmpty(options?.ExternalId))
+                {
+                    credentials = new AssumeRoleAWSCredentials(credentials, options.SessionRoleArn, options.SessionName);
+                }
+                else
+                {
+                    credentials = new AssumeRoleAWSCredentials(credentials, options.SessionRoleArn, options.SessionName, new AssumeRoleAWSCredentialsOptions() { ExternalId = options.ExternalId });
+                }
             }
 
             var config = CreateConfig(serviceInterfaceType, options);

diff --git a/extensions/src/AWSSDK.Extensions.NETCore.Setup/ConfigurationExtensions.cs b/extensions/src/AWSSDK.Extensions.NETCore.Setup/ConfigurationExtensions.cs
@@ -183,6 +183,11 @@ public static AWSOptions GetAWSOptions(this IConfiguration config, string config
                 options.SessionName = section["SessionName"];
             }
 
+            if (!string.IsNullOrEmpty(section["ExternalId"]))
+            {
+                options.ExternalId = section["ExternalId"];
+            }
+
             var loggingSection = section.GetSection("Logging");
             if(loggingSection != null)
             {

diff --git a/extensions/test/NETCore.SetupTests/ConfigurationTests.cs b/extensions/test/NETCore.SetupTests/ConfigurationTests.cs
@@ -49,6 +49,7 @@ public void GetRoleNameAndSessionName()
             Assert.Equal(RegionEndpoint.USWest2, options.Region);
             Assert.Equal("arn:aws:iam::123456789012:role/fake_role", options.SessionRoleArn);
             Assert.Equal("TestSessionName", options.SessionName);
+            Assert.Equal("TestExternalId", options.ExternalId);
 
             IAmazonS3 client = options.CreateServiceClient<IAmazonS3>();
             Assert.NotNull(client);

diff --git a/extensions/test/NETCore.SetupTests/TestFiles/GetRoleNameAndSessionNameTest.json b/extensions/test/NETCore.SetupTests/TestFiles/GetRoleNameAndSessionNameTest.json
@@ -2,6 +2,7 @@
   "AWS": {
     "SessionRoleArn": "arn:aws:iam::123456789012:role/fake_role",
     "SessionName": "TestSessionName",
+    "ExternalId":  "TestExternalId",
     "Region": "us-west-2"
   }
 }