in signer/msk_auth_token_provider.go [149:180]
func loadCredentialsFromRoleArn(
ctx context.Context, region string, roleArn string, stsSessionName string, externalId string,
) (*aws.Credentials, error) {
cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(region))
if err != nil {
return nil, fmt.Errorf("unable to load SDK config: %w", err)
}
stsClient := sts.NewFromConfig(cfg)
assumeRoleInput := &sts.AssumeRoleInput{
RoleArn: aws.String(roleArn),
RoleSessionName: aws.String(stsSessionName),
}
if externalId != "" {
assumeRoleInput.ExternalId = aws.String(externalId)
}
assumeRoleOutput, err := stsClient.AssumeRole(ctx, assumeRoleInput)
if err != nil {
return nil, fmt.Errorf("unable to assume role, %s: %w", roleArn, err)
}
//Create new aws.Credentials instance using the credentials from AssumeRoleOutput.Credentials
creds := aws.Credentials{
AccessKeyID: *assumeRoleOutput.Credentials.AccessKeyId,
SecretAccessKey: *assumeRoleOutput.Credentials.SecretAccessKey,
SessionToken: *assumeRoleOutput.Credentials.SessionToken,
}
return &creds, nil
}