Implement configuration assume role duration, policy ARNs, tags, and …

…transitive tag keys (#39)

* deps: Update github.com/aws/aws-sdk-go@v1.31.9

To ensure we have all the latest and greatest STS features and prevent any confusion over the AWS Go SDK version minimum in this libary.

Updated via:

```
go get github.com/aws/aws-sdk-go@v1.31.9
go mod tidy
```

* Implement assume role duration, policy ARNs, tags, and transitive tag keys support

Reference: hashicorp/aws-sdk-go-base#11
Reference: hashicorp/aws-sdk-go-base#21
Reference: hashicorp/aws-sdk-go-base#34

* mock: Support EC2 Instance Metadata Service v2 /api/token endpoint

Otherwise, the updated AWS Go SDK EC2 Metadata client would return errors against the mock server.

```
=== RUN   TestGetSession/EC2_metadata_access_key
2020/06/02 19:07:53 [INFO] Attempting to use session-derived credentials
2020/06/02 19:07:53 [INFO] Setting custom EC2 metadata endpoint: http://127.0.0.1:60498/latest
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [INFO] Attempting to use metadata-derived credentials
2020/06/02 19:07:53 [INFO] Setting AWS metadata API timeout to 100ms
2020/06/02 19:07:53 [INFO] Setting custom metadata endpoint: "http://127.0.0.1:60498/latest"
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [DEBUG] Mock EC2 metadata server received request: /latest/api/token
2020/06/02 19:07:53 [INFO] Ignoring AWS metadata API endpoint at http://127.0.0.1:60498/latest as it doesn't return any instance-id
    TestGetSession/EC2_metadata_access_key: session_test.go:1013: expected no error, got error: No valid credential sources found for AWS Provider.
        	Please see https://terraform.io/docs/providers/aws/index.html for more information on
        	providing credentials for the AWS Provider
```

awsauth.go

@@ -342,8 +342,8 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
 
 	// Otherwise we need to construct an STS client with the main credentials, and verify
 	// that we can assume the defined role.
-	log.Printf("[INFO] Attempting to AssumeRole %s (SessionName: %q, ExternalId: %q, Policy: %q)",
-		c.AssumeRoleARN, c.AssumeRoleSessionName, c.AssumeRoleExternalID, c.AssumeRolePolicy)
+	log.Printf("[INFO] Attempting to AssumeRole %s (SessionName: %q, ExternalId: %q)",
+		c.AssumeRoleARN, c.AssumeRoleSessionName, c.AssumeRoleExternalID)
 
 	awsConfig := &aws.Config{
 		Credentials:      creds,
@@ -364,16 +364,54 @@ func GetCredentials(c *Config) (*awsCredentials.Credentials, error) {
 		Client:  stsclient,
 		RoleARN: c.AssumeRoleARN,
 	}
-	if c.AssumeRoleSessionName != "" {
-		assumeRoleProvider.RoleSessionName = c.AssumeRoleSessionName
+
+	if c.AssumeRoleDurationSeconds > 0 {
+		assumeRoleProvider.Duration = time.Duration(c.AssumeRoleDurationSeconds) * time.Second
 	}
+
 	if c.AssumeRoleExternalID != "" {
 		assumeRoleProvider.ExternalID = aws.String(c.AssumeRoleExternalID)
 	}
+
 	if c.AssumeRolePolicy != "" {
 		assumeRoleProvider.Policy = aws.String(c.AssumeRolePolicy)
 	}
 
+	if len(c.AssumeRolePolicyARNs) > 0 {
+		var policyDescriptorTypes []*sts.PolicyDescriptorType
+
+		for _, policyARN := range c.AssumeRolePolicyARNs {
+			policyDescriptorType := &sts.PolicyDescriptorType{
+				Arn: aws.String(policyARN),
+			}
+			policyDescriptorTypes = append(policyDescriptorTypes, policyDescriptorType)
+		}
+
+		assumeRoleProvider.PolicyArns = policyDescriptorTypes
+	}
+
+	if c.AssumeRoleSessionName != "" {
+		assumeRoleProvider.RoleSessionName = c.AssumeRoleSessionName
+	}
+
+	if len(c.AssumeRoleTags) > 0 {
+		var tags []*sts.Tag
+
+		for k, v := range c.AssumeRoleTags {
+			tag := &sts.Tag{
+				Key:   aws.String(k),
+				Value: aws.String(v),
+			}
+			tags = append(tags, tag)
+		}
+
+		assumeRoleProvider.Tags = tags
+	}
+
+	if len(c.AssumeRoleTransitiveTagKeys) > 0 {
+		assumeRoleProvider.TransitiveTagKeys = aws.StringSlice(c.AssumeRoleTransitiveTagKeys)
+	}
+
 	providers = []awsCredentials.Provider{assumeRoleProvider}
 
 	assumeRoleCreds := awsCredentials.NewChainCredentials(providers)

config.go

@@ -1,25 +1,29 @@
 package awsbase
 
 type Config struct {
-	AccessKey               string
-	AssumeRoleARN           string
-	AssumeRoleExternalID    string
-	AssumeRolePolicy        string
-	AssumeRoleSessionName   string
-	CredsFilename           string
-	DebugLogging            bool
-	IamEndpoint             string
-	Insecure                bool
-	MaxRetries              int
-	Profile                 string
-	Region                  string
-	SecretKey               string
-	SkipCredsValidation     bool
-	SkipMetadataApiCheck    bool
-	SkipRequestingAccountId bool
-	StsEndpoint             string
-	Token                   string
-	UserAgentProducts       []*UserAgentProduct
+	AccessKey                   string
+	AssumeRoleARN               string
+	AssumeRoleDurationSeconds   int
+	AssumeRoleExternalID        string
+	AssumeRolePolicy            string
+	AssumeRolePolicyARNs        []string
+	AssumeRoleSessionName       string
+	AssumeRoleTags              map[string]string
+	AssumeRoleTransitiveTagKeys []string
+	CredsFilename               string
+	DebugLogging                bool
+	IamEndpoint                 string
+	Insecure                    bool
+	MaxRetries                  int
+	Profile                     string
+	Region                      string
+	SecretKey                   string
+	SkipCredsValidation         bool
+	SkipMetadataApiCheck        bool
+	SkipRequestingAccountId     bool
+	StsEndpoint                 string
+	Token                       string
+	UserAgentProducts           []*UserAgentProduct
 }
 
 type UserAgentProduct struct {

go.mod

@@ -1,13 +1,10 @@
 module github.com/hashicorp/aws-sdk-go-base
 
 require (
-	github.com/aws/aws-sdk-go v1.25.3
+	github.com/aws/aws-sdk-go v1.31.9
 	github.com/hashicorp/go-cleanhttp v0.5.0
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/stretchr/testify v1.3.0 // indirect
-	golang.org/x/net v0.0.0-20190213061140-3a22650c66bd // indirect
-	golang.org/x/text v0.3.0 // indirect
 )
 
 go 1.13

go.sum

@@ -1,23 +1,31 @@
-github.com/aws/aws-sdk-go v1.25.3 h1:uM16hIw9BotjZKMZlX05SN2EFtaWfi/NonPKIARiBLQ=
-github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.31.9 h1:n+b34ydVfgC30j0Qm69yaapmjejQPW2BoDBX7Uy/tLI=
+github.com/aws/aws-sdk-go v1.31.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0 h1:wvCrVc9TjDls6+YGAF2hAifE1E5U1+b4tH6KdvN3Gig=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
+github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd h1:HuTn7WObtcDo9uEEU7rEqL0jYthdXAmZ6PP+meazmaU=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

mock.go

@@ -143,6 +143,10 @@ var ec2metadata_instanceIdEndpoint = &MetadataResponse{
 }
 
 var ec2metadata_securityCredentialsEndpoints = []*MetadataResponse{
+	{
+		Uri:  "/latest/api/token",
+		Body: "Ec2MetadataApiToken",
+	},
 	{
 		Uri:  "/latest/meta-data/iam/security-credentials/",
 		Body: "test_role",