From a6bfb107f6acb33b6612d08dde56bfc1dde7d625 Mon Sep 17 00:00:00 2001
From: Thomas Kappler <tkappler@pulumi.com>
Date: Sun, 3 Dec 2023 08:05:40 +0100
Subject: [PATCH] Add assumeRoleWithWebIdentity to creds validation #2252

---
 provider/resources.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/provider/resources.go b/provider/resources.go
index bc94d04de69..3e0d0141e00 100644
--- a/provider/resources.go
+++ b/provider/resources.go
@@ -558,7 +558,18 @@ func validateCredentials(vars resource.PropertyMap, c shim.ResourceConfig) error
 			SessionName: stringValue(details.ObjectValue(), "sessionName", []string{}),
 		}
 		config.AssumeRole = &assumeRole
+	}
 
+	if details, ok := vars["assumeRoleWithWebIdentity"]; ok {
+		assumeRole := awsbase.AssumeRoleWithWebIdentity{
+			RoleARN:              stringValue(details.ObjectValue(), "roleArn", []string{}),
+			Policy:               stringValue(details.ObjectValue(), "policy", []string{}),
+			PolicyARNs:           arrayValue(details.ObjectValue(), "policyArns", []string{}),
+			SessionName:          stringValue(details.ObjectValue(), "sessionName", []string{}),
+			WebIdentityToken:     stringValue(details.ObjectValue(), "webIdentityToken", []string{}),
+			WebIdentityTokenFile: stringValue(details.ObjectValue(), "webIdentityTokenFile", []string{}),
+		}
+		config.AssumeRoleWithWebIdentity = &assumeRole
 	}
 
 	// By default `skipMetadataApiCheck` is true for Pulumi to speed operations