From e44c2d46eafd5f223ac246eb003bc6b3427b3374 Mon Sep 17 00:00:00 2001
From: Jim Sheldon <jim.sheldon@meltwater.com>
Date: Fri, 17 Sep 2021 15:33:05 -0400
Subject: [PATCH] adding support for externalId

---
 cmd/drone-ecr/main.go | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/cmd/drone-ecr/main.go b/cmd/drone-ecr/main.go
index 9de37a1..07450c3 100644
--- a/cmd/drone-ecr/main.go
+++ b/cmd/drone-ecr/main.go
@@ -37,6 +37,7 @@ func main() {
 		lifecyclePolicy  = getenv("PLUGIN_LIFECYCLE_POLICY")
 		repositoryPolicy = getenv("PLUGIN_REPOSITORY_POLICY")
 		assumeRole       = getenv("PLUGIN_ASSUME_ROLE")
+		externalId       = getenv("PLUGIN_EXTERNAL_ID")
 		scanOnPush       = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH"))
 	)
 
@@ -57,7 +58,7 @@ func main() {
 		log.Fatal(fmt.Sprintf("error creating aws session: %v", err))
 	}
 
-	svc := getECRClient(sess, assumeRole)
+	svc := getECRClient(sess, assumeRole, externalId)
 	username, password, defaultRegistry, err := getAuthInfo(svc)
 
 	if registry == "" {
@@ -208,11 +209,19 @@ func getenv(key ...string) (s string) {
 	return
 }
 
-func getECRClient(sess *session.Session, role string) *ecr.ECR {
+func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR {
 	if role == "" {
 		return ecr.New(sess)
 	}
-	return ecr.New(sess, &aws.Config{
-		Credentials: stscreds.NewCredentials(sess, role),
-	})
+	if externalId != "" {
+		return ecr.New(sess, &aws.Config{
+			Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) {
+				p.ExternalID = &externalId
+			}),
+		})
+	} else {
+		return ecr.New(sess, &aws.Config{
+			Credentials: stscreds.NewCredentials(sess, role),
+		})
+	}
 }