(custom-resource): Support external IDs when assuming a role

[crowecawcaw]

Describe the feature

When using the AwsCustomeResource construct, it's possible to pass in a role to be assumed while making the SDK call in order to support cross-account use cases. When assuming a role, STS also support passing in an externalId as a confused deputy control. See these docs for more context. The AwsCustomeResource construct should accept and use an optional external ID when assuming roles.

Use Case

Assuming a role in another account which requires an external ID.

Proposed Solution

I raised a PR to implement the change which I think is straightforward. I couldn't get the integ tests to pass after a couple hours of trying though, so I'm going to move on: https://github.com/aws/aws-cdk/pull/13916/files

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.187

Environment details (OS name and version, etc.)

n/a

[pahud]

Hi @crowecawcaw,

Thanks for raising this feature request and for even attempting a PR (#13916)! Adding support for ExternalId when assuming a role via AwsCustomResource is a valuable suggestion for enhancing security, particularly in cross-account scenarios.

You're correct that using an ExternalId is a best practice recommended by IAM to mitigate the "confused deputy" problem (AWS Docs Reference). It ensures that only the intended principal, possessing the correct external ID, can assume the role.

Based on our initial analysis (and confirming your findings), implementing this requires changes in two main places:

1. AwsSdkCall Interface: The interface within the @aws-cdk/aws-custom-resources module (aws-custom-resource.ts) needs to be updated to include an optional externalId property.
2. Lambda Handler: The underlying Lambda function handler within the @aws-cdk/custom-resource-handlers package (utils.ts, specifically the getCredentials function) needs to be modified to read this externalId and include it in the parameters for the sts:AssumeRole call made via fromTemporaryCredentials.

We've marked this issue as a p1 feature-request and added it to our backlog for consideration. While I can't provide a specific timeline for implementation right now, we recognize the security benefit this provides.

We'll keep this issue updated with any progress. Thanks again for contributing!