[HUDI-7699] Support STS external ids and configurable session names in the AWS StsAssumeRoleCredentialsProvider

[istreeter]

Change Logs

See issue HUDI-7699.

HUDI-6695 (#9260) added a AWS credentials provider to support assuming a role when syncing to Glue.

We use Hudi in a multi-tenant environment, and our customers give us delegated access to their Glue catalog. In this multi-tenant setup it is important to use an external ID to improve security when assuming IAM roles.

Furthermore, the STS session name is currently hard-coded to "hoodie". It is helpful for us to have configurable session names so we have better tracability of what entities are creating STS sessions in the cloud.

Currently, the assumed role is configured with the hoodie.aws.role.arn config property. I would like to add the following extra optional config properties, which will be used by the HoodieConfigAWSAssumedRoleCredentialsProvider:

• hoodie.aws.role.external.id
• hoodie.aws.role.session.name

Impact

No impact to any existing way of using Hudi. It only adds more configurability to an existing feature.

Risk level (write none, low medium or high below)

Low

Documentation Update

None. The new configuration options need to be documented, but I believe that is done automatically from the config code (someone please confirm this!)

Contributor's checklist

• [ ] Read through contributor's guide
• [ ] Change Logs and Impact were stated clearly
• [ ] Adequate tests were added if applicable
• [ ] CI passed

[hudi-bot]

CI report:

• 0b707d1ca7beeda6b975fe108e424504e750e70c Azure: SUCCESS

Bot commands

@hudi-bot supports the following commands:

• @hudi-bot run azure re-run the last Azure build

[istreeter]

Thank you @danny0405 for reviewing this!! Is there anything more I need to do before this can get merged? (Just checking I haven't missed something obvious)