From 53635199e9ac85dd628cf0e5cbed193b5da596e6 Mon Sep 17 00:00:00 2001
From: Pudong <tianshi8650@gmail.com>
Date: Tue, 10 Oct 2023 16:38:18 +0800
Subject: [PATCH] Allow customize aws and vault audience (#18840)

---
 components/gitpod-cli/cmd/idp-login-aws.go   | 4 +++-
 components/gitpod-cli/cmd/idp-login-vault.go | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/components/gitpod-cli/cmd/idp-login-aws.go b/components/gitpod-cli/cmd/idp-login-aws.go
index df5b3d5d86405f..473911d28322ce 100644
--- a/components/gitpod-cli/cmd/idp-login-aws.go
+++ b/components/gitpod-cli/cmd/idp-login-aws.go
@@ -24,6 +24,7 @@ var idpLoginAwsOpts struct {
 	RoleARN         string
 	Profile         string
 	DurationSeconds int
+	Audience        []string
 }
 
 var idpLoginAwsCmd = &cobra.Command{
@@ -42,7 +43,7 @@ var idpLoginAwsCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, []string{idpAudienceAWS})
+		tkn, err := idpToken(ctx, idpLoginAwsOpts.Audience)
 		if err != nil {
 			return err
 		}
@@ -96,6 +97,7 @@ func init() {
 	idpLoginCmd.AddCommand(idpLoginAwsCmd)
 
 	idpLoginAwsCmd.Flags().StringVar(&idpLoginAwsOpts.RoleARN, "role-arn", os.Getenv("IDP_AWS_ROLE_ARN"), "AWS role to assume (defaults to IDP_AWS_ROLE_ARN env var)")
+	idpLoginAwsCmd.Flags().StringArrayVar(&idpLoginAwsOpts.Audience, "audience", []string{idpAudienceAWS}, "audience of the ID token")
 	idpLoginAwsCmd.Flags().StringVarP(&idpLoginAwsOpts.Profile, "profile", "p", "default", "AWS profile to configure")
 	idpLoginAwsCmd.Flags().IntVarP(&idpLoginAwsOpts.DurationSeconds, "duration-seconds", "d", 3600, "Duration in seconds for which the credentials will be valid (defaults to 3600), upper bound is controlled by the AWS maximum session duration. See https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html")
 	_ = idpLoginAwsCmd.MarkFlagFilename("profile")
diff --git a/components/gitpod-cli/cmd/idp-login-vault.go b/components/gitpod-cli/cmd/idp-login-vault.go
index b576f775250c68..fabc90f60c5e1a 100644
--- a/components/gitpod-cli/cmd/idp-login-vault.go
+++ b/components/gitpod-cli/cmd/idp-login-vault.go
@@ -20,7 +20,8 @@ const (
 )
 
 var idpLoginVaultOpts struct {
-	Role string
+	Role     string
+	Audience []string
 }
 
 var idpLoginVaultCmd = &cobra.Command{
@@ -32,7 +33,7 @@ var idpLoginVaultCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, []string{idpAudienceVault})
+		tkn, err := idpToken(ctx, idpLoginVaultOpts.Audience)
 		if err != nil {
 			return err
 		}
@@ -63,5 +64,6 @@ var idpLoginVaultCmd = &cobra.Command{
 func init() {
 	idpLoginCmd.AddCommand(idpLoginVaultCmd)
 
+	idpLoginVaultCmd.Flags().StringArrayVar(&idpLoginVaultOpts.Audience, "audience", []string{idpAudienceVault}, "audience of the ID token")
 	idpLoginVaultCmd.Flags().StringVar(&idpLoginVaultOpts.Role, "role", os.Getenv("IDP_VAULT_ROLE"), "Vault role to assume (defaults to IDP_VAULT_ROLE env var)")
 }