Merge remote-tracking branch 'upstream/main' into cel/okta_oauth2

CHANGELOG.next.asciidoc

@@ -155,6 +155,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Mark `translate_sid` processor is GA. {issue}36279[36279] {pull}36280[36280]
 - dns processor: Add support for forward lookups (`A`, `AAAA`, and `TXT`). {issue}11416[11416] {pull}36394[36394]
 - Mark `syslog` processor as GA, improve docs about how processor handles syslog messages. {issue}36416[36416] {pull}36417[36417]
+- Add support for AWS external IDs. {issue}36321[36321] {pull}36322[36322]
 
 *Auditbeat*
 

filebeat/docs/modules/aws.asciidoc

@@ -36,6 +36,9 @@ The `aws` module requires AWS credentials configuration in order to make AWS API
 Users can either use `access_key_id`, `secret_access_key` and/or
 `session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.
 
+Users may use `external_id` to support assuming a role in another account, see
+https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].
+
 Please see <<aws-credentials-options,AWS credentials options>> for more details.
 
 include::../include/gs-link.asciidoc[]

x-pack/filebeat/module/aws/_meta/docs.asciidoc

@@ -29,6 +29,9 @@ The `aws` module requires AWS credentials configuration in order to make AWS API
 Users can either use `access_key_id`, `secret_access_key` and/or
 `session_token`, or use `role_arn` AWS IAM role, or use shared AWS credentials file.
 
+Users may use `external_id` to support assuming a role in another account, see
+https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].
+
 Please see <<aws-credentials-options,AWS credentials options>> for more details.
 
 include::../include/gs-link.asciidoc[]

x-pack/libbeat/common/aws/credentials.go

@@ -39,6 +39,7 @@ type ConfigAWS struct {
 	SharedCredentialFile string            `config:"shared_credential_file"`
 	Endpoint             string            `config:"endpoint"`
 	RoleArn              string            `config:"role_arn"`
+	ExternalID           string            `config:"external_id"`
 	ProxyUrl             string            `config:"proxy_url"`
 	FIPSEnabled          bool              `config:"fips_enabled"`
 	TLS                  *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty" json:"ssl,omitempty"`
@@ -149,7 +150,11 @@ func addAssumeRoleProviderToAwsConfig(config ConfigAWS, awsConfig *awssdk.Config
 	logger := logp.NewLogger("addAssumeRoleProviderToAwsConfig")
 	logger.Debug("Switching credentials provider to AssumeRoleProvider")
 	stsSvc := sts.NewFromConfig(*awsConfig)
-	stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn)
+	stsCredProvider := stscreds.NewAssumeRoleProvider(stsSvc, config.RoleArn, func(aro *stscreds.AssumeRoleOptions) {
+		if config.ExternalID != "" {
+			aro.ExternalID = awssdk.String(config.ExternalID)
+		}
+	})
 	awsConfig.Credentials = stsCredProvider
 }
 

x-pack/libbeat/docs/aws-credentials-config.asciidoc

@@ -10,6 +10,7 @@ To configure AWS credentials, either put the credentials into the {beatname_uc}
 * *credential_profile_name*: profile name in shared credentials file.
 * *shared_credential_file*: directory of the shared credentials file.
 * *role_arn*: AWS IAM Role to assume.
+* *external_id*: external ID to use when assuming a role in another account, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html[the AWS documentation for use of external IDs].
 * *proxy_url*: URL of the proxy to use to connect to AWS web services. The syntax is `http(s)://<IP/Hostname>:<port>`
 * *fips_enabled*: Enabling this option instructs {beatname_uc} to use the FIPS endpoint of a service. All services used by {beatname_uc} are FIPS compatible except for `tagging` but only certain regions are FIPS compatible. See https://aws.amazon.com/compliance/fips/ or the appropriate service page, https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html, for a full list of FIPS endpoints and regions.
 * *ssl*: This specifies SSL/TLS configuration. If the ssl section is missing, the host's CAs are used for HTTPS connections. See <<configuration-ssl>> for more information.