check-rds.rb in sensu-plugins-aws-3.2.0

- old
+ new

@@ -68,10 +68,15 @@
          short:       '-k AWS_SECRET_KEY',
          long:        '--aws-secret-access-key AWS_SECRET_KEY',
          description: "AWS Secret Access Key. Either set ENV['AWS_SECRET_KEY'] or provide it as an option",
          default:     ENV['AWS_SECRET_KEY']
 
+  option :role_arn,
+         long:        '--role-arn ROLE_ARN',
+         description: 'AWS role arn of the role of the third party account to switch to',
+         default:     false
+
   option :aws_region,
          short:       '-r AWS_REGION',
          long:        '--aws-region REGION',
          description: 'AWS Region (defaults to us-east-1).',
          default:     'us-east-1'
@@ -125,15 +130,23 @@
     { access_key_id: config[:aws_access_key],
       secret_access_key: config[:aws_secret_access_key],
       region: config[:aws_region] }
   end
 
+  def role_credentials
+    @role_credentials = Aws::AssumeRoleCredentials.new(
+      client: Aws::STS::Client.new(aws_config),
+      role_arn: config[:role_arn],
+      role_session_name: "role@#{Time.now.to_i}"
+    )
+  end
+
   def rds
-    @rds ||= Aws::RDS::Client.new aws_config
+    @rds ||= config[:role_arn] ? Aws::RDS::Client.new(credentials: role_credentials, region: aws_config[:region]) : Aws::RDS::Client.new(aws_config)
   end
 
   def cloud_watch
-    @cloud_watch ||= Aws::CloudWatch::Client.new aws_config
+    @cloud_watch ||= config[:role_arn] ? Aws::CloudWatch::Client.new(credentials: role_credentials, region: aws_config[:region]) : Aws::CloudWatch::Client.new(aws_config)
   end
 
   def find_db_instance(id)
     db = rds.describe_db_instances.db_instances.detect { |db_instance| db_instance.db_instance_identifier == id }
     unknown 'DB instance not found.' if db.nil?