Merge pull request #2895 from jamiemoore/ec2_discovery_rolearn

Add the ability to assume a role for ec2 discovery

config/config.go

@@ -1137,6 +1137,7 @@ type EC2SDConfig struct {
 	AccessKey       string         `yaml:"access_key,omitempty"`
 	SecretKey       Secret         `yaml:"secret_key,omitempty"`
 	Profile         string         `yaml:"profile,omitempty"`
+	RoleARN         string         `yaml:"role_arn,omitempty"`
 	RefreshInterval model.Duration `yaml:"refresh_interval,omitempty"`
 	Port            int            `yaml:"port"`
 

discovery/ec2/ec2.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/common/log"
@@ -71,6 +72,7 @@ type Discovery struct {
 	aws      *aws.Config
 	interval time.Duration
 	profile  string
+	roleARN  string
 	port     int
 	logger   log.Logger
 }
@@ -87,6 +89,7 @@ func NewDiscovery(conf *config.EC2SDConfig, logger log.Logger) *Discovery {
 			Credentials: creds,
 		},
 		profile:  conf.Profile,
+		roleARN:  conf.RoleARN,
 		interval: time.Duration(conf.RefreshInterval),
 		port:     conf.Port,
 		logger:   logger,
@@ -147,7 +150,13 @@ func (d *Discovery) refresh() (tg *config.TargetGroup, err error) {
 		return nil, fmt.Errorf("could not create aws session: %s", err)
 	}
 
-	ec2s := ec2.New(sess)
+	var ec2s *ec2.EC2
+	if d.roleARN != "" {
+		creds := stscreds.NewCredentials(sess, d.roleARN)
+		ec2s = ec2.New(sess, &aws.Config{Credentials: creds})
+	} else {
+		ec2s = ec2.New(sess)
+	}
 	tg = &config.TargetGroup{
 		Source: *d.aws.Region,
 	}