Add parameter SourceIdentity

The parameter `SourceIdentity` can be used to track the original principal that was used when assuming IAM roles. It can be set only once during a session and is also preserved if you do IAM role chaining.

Author: wlami

credentials.go

@@ -193,7 +193,7 @@ func webIdentityCredentialsProvider(ctx context.Context, awsConfig aws.Config, c
 func assumeRoleCredentialsProvider(ctx context.Context, awsConfig aws.Config, c *Config) (aws.CredentialsProvider, error) {
 	ar := c.AssumeRole
 	// When assuming a role, we need to first authenticate the base credentials above, then assume the desired role
-	log.Printf("[INFO] Assuming IAM Role %q (SessionName: %q, ExternalId: %q)", ar.RoleARN, ar.SessionName, ar.ExternalID)
+	log.Printf("[INFO] Assuming IAM Role %q (SessionName: %q, ExternalId: %q, SourceIdentity: %q)", ar.RoleARN, ar.SessionName, ar.ExternalID, ar.SourceIdentity)
 
 	client := stsClient(awsConfig, c)
 
@@ -229,6 +229,10 @@ func assumeRoleCredentialsProvider(ctx context.Context, awsConfig aws.Config, c
 		if len(ar.TransitiveTagKeys) > 0 {
 			opts.TransitiveTagKeys = ar.TransitiveTagKeys
 		}
+
+		if ar.SourceIdentity != "" {
+			opts.SourceIdentity = aws.String(ar.SourceIdentity)
+		}
 	})
 	_, err := appCreds.Retrieve(ctx)
 	if err != nil {

internal/config/config.go

@@ -48,6 +48,7 @@ type AssumeRole struct {
 	Policy            string
 	PolicyARNs        []string
 	SessionName       string
+	SourceIdentity    string
 	Tags              map[string]string
 	TransitiveTagKeys []string
 }