feat(aws-sqs): Add external ID support for cross-account access

[tangobango5]

This commit adds support for external ID in AWS SQS scaler to enable secure cross-account access scenarios. External ID is now parsed from TriggerAuthentication and passed to STS AssumeRole operations.

Changes:

• Add AwsExternalID field to AuthorizationMetadata struct
• Update GetAwsAuthorization to parse external ID from auth parameters
• Modify cache key generation to include external ID
• Update AssumeRole providers to use external ID when available
• Add comprehensive test coverage for external ID scenarios

The external ID is only used with AssumeRole operations and maintains backward compatibility with existing configurations.

Provide a description of what has been changed

Checklist

• When introducing a new scaler, I agree with the scaling governance policy
• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added
• Changelog has been updated and is aligned with our changelog requirements
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes # #6921

Relates to #

[JorTurFer]

Awesome improvement! ❤️
As this is part of pod identity (IRSA role assumption), WDYT if we set it as a new parameter in trigger authentication? This would make the new feature available for any AWS Scaler at once.

Please, also open a PR to docs to document the new parameter

[zroubalik]

Awesome improvement! ❤️ As this is part of pod identity (IRSA role assumption), WDYT if we set it as a new parameter in trigger authentication? This would make the new feature available for any AWS Scaler at once.

Could you please elaborate here?

[JorTurFer]

Awesome improvement! ❤️ As this is part of pod identity (IRSA role assumption), WDYT if we set it as a new parameter in trigger authentication? This would make the new feature available for any AWS Scaler at once.

Could you please elaborate here?

sure, AwsExternalID is part of the auth SDK and not from SQS SDK. The OP has added the parameter to the SQS trigger but it's passed directly to the auth SDK. The auth code is shared for all the AWS Scalers, so I guess that it's a potential improvement for all the AWS Scalers and not only for SQS. If any other user needs AwsExternalID for other AWS Scaler, we will need to add the parameter there and pass to the shared auth code.
My suggestion is to remove the parameter from the SQS trigger and moving it directly to the TriggerAuthentication to make in shared for any AWS scaler and also to place it closer to the auth code and not in the SQS code to pass it till auth code. The last but not least, this change ONLY applies if pod identity is used (the assumeRole code is podIdentity code), so I see it configured along podIdentity configuration and not as part of the scaler

[zroubalik]

Awesome improvement! ❤️ As this is part of pod identity (IRSA role assumption), WDYT if we set it as a new parameter in trigger authentication? This would make the new feature available for any AWS Scaler at once.

Could you please elaborate here?

sure, AwsExternalID is part of the auth SDK and not from SQS SDK. The OP has added the parameter to the SQS trigger but it's passed directly to the auth SDK. The auth code is shared for all the AWS Scalers, so I guess that it's a potential improvement for all the AWS Scalers and not only for SQS. If any other user needs AwsExternalID for other AWS Scaler, we will need to add the parameter there and pass to the shared auth code. My suggestion is to remove the parameter from the SQS trigger and moving it directly to the TriggerAuthentication to make in shared for any AWS scaler and also to place it closer to the auth code and not in the SQS code to pass it till auth code. The last but not least, this change ONLY applies if pod identity is used (the assumeRole code is podIdentity code), so I see it configured along podIdentity configuration and not as part of the scaler

Thanks a lot, this make sense!

Fully agree, let's proceed this direction, @tangobango5 FYI

[tangobango5]

Hi @JorTurFer

Please let me know if I have understood this correctly:

I have done changes in:

• pkg/scalers/aws/aws_common.go
• pkg/scalers/aws/aws_authorization.go
• pkg/scalers/aws/aws_config_cache.go

These changes are for all the AWS scalers and not specific to SQS scaler.

Example usage (I have already tried it like this):

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: auth-trigger
  namespace: some-namespace
spec:
  secretTargetRef:
  - key: AWS_ROLE_ARN
    name: secret-name
    parameter: awsRoleArn
  - key: AWS_EXTERNAL_ID        ##### This is common for all the scalers.
    name: secret-name
    parameter: awsExternalID

Similarly, this TriggerAuthentication can be used for any of the AWS scalers and it's not specific to just SQS scalers.

PS: I am new to KEDA, and might have misunderstood it.

[tangobango5]

Hi @JorTurFer

I have changed it to use podIdentity instead of using auth.
Now, I see this makes more sense.

We may use it like this:

spec:
  podIdentity:
    awsExternalID: someexternalid
    provider: aws
    roleArn: arn:aws:iam::123456789:role/keda-cross-account-role

Is this what you requested?

[JorTurFer]

awesome job! Just one extra thing, instead of using SQS unit test to test this feature, what about adding an e2e test for it. We have a real AWS account where we can include a role with externalID requirement -> https://github.com/[kedacore/testing-infrastructure](https://github.com/kedacore/testing-infrastructure)

The AWS IAM is managed here -> https://github.com/kedacore/testing-infrastructure/blob/main/terraform/modules/aws/iam/main.tf

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[tangobango5]

Hi @JorTurFer,
Please review: Here is the PR for adding the external id for e2e test.
kedacore/testing-infrastructure#191

[Copilot]

Pull request overview

This PR adds support for AWS External ID in TriggerAuthentication to enable secure cross-account access scenarios. External ID is an AWS security best practice that helps prevent the "confused deputy" problem when using AssumeRole across accounts.

Changes:

• Added ExternalID field to AuthPodIdentity struct and CRD definitions
• Updated AWS authentication logic to parse and use external ID with AssumeRole operations
• Modified cache key generation to include external ID for proper cache isolation
• Added comprehensive unit and E2E tests for external ID scenarios
• Added webhook validation to ensure external ID is only used with RoleArn

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
apis/keda/v1alpha1/triggerauthentication_types.go	Added ExternalID field to AuthPodIdentity struct
apis/keda/v1alpha1/triggerauthentication_webhook.go	Added validation to ensure ExternalID requires RoleArn
config/crd/bases/keda.sh_triggerauthentications.yaml	Updated CRD with ExternalID field definition
config/crd/bases/keda.sh_clustertriggerauthentications.yaml	Updated ClusterTriggerAuthentication CRD with ExternalID field
pkg/scalers/aws/aws_authorization.go	Added AwsExternalID field to AuthorizationMetadata struct
pkg/scalers/aws/aws_common.go	Updated GetAwsAuthorization to parse external ID and pass to AssumeRole
pkg/scalers/aws/aws_config_cache.go	Updated cache key generation and credential retrieval to include external ID
pkg/scalers/aws_sqs_queue_scaler_test.go	Added comprehensive unit test cases for external ID scenarios
tests/secret-providers/aws_identity_external_id/aws_identity_external_id_test.go	Added E2E test verifying external ID works and is properly validated
CHANGELOG.md	Documented the enhancement for all AWS scalers

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tangobango5]

@JorTurFer you may review now.

[JorTurFer]

LGTM! Only one small thing: please include the externalID in the key generated by getCacheKey. I assume that you can never assume a role with and without the externalD, but including the value in the key ensures that connections are unique. Also, if one legit trigger is configured, not having the externalID can allow another one wrongly configured (without it) to use the right one

[JorTurFer]

/run-e2e aws
Update: You can check the progress here

[rickbrouwer]

Related with #7665 and #7580

[tangobango5]

@JorTurFer @rickbrouwer
I think all comments are addressed.
Please do let me know if further changes are required here.

[rickbrouwer]

/run-e2e aws
Update: You can check the progress here

[zeevimeytar]

Can we expect this to be part of the v2.20 release?