From 32fdae08d60d19f73d2d931215ddd63befbbe0c7 Mon Sep 17 00:00:00 2001
From: kpcraig <3031348+kpcraig@users.noreply.github.com>
Date: Fri, 26 Jul 2024 14:55:04 -0400
Subject: [PATCH] pass nil function for auth/aws when no externalID supplied
 (#27858)

---
 builtin/credential/aws/client.go | 9 ++++++++-
 changelog/27858.txt              | 3 +++
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 changelog/27858.txt

diff --git a/builtin/credential/aws/client.go b/builtin/credential/aws/client.go
index cf2d39b7d8..5931984ca7 100644
--- a/builtin/credential/aws/client.go
+++ b/builtin/credential/aws/client.go
@@ -9,6 +9,8 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/aws/aws-sdk-go/aws/credentials"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -130,7 +132,12 @@ func (b *backend) getClientConfig(ctx context.Context, s logical.Storage, region
 		if err != nil {
 			return nil, err
 		}
-		assumedCredentials := stscreds.NewCredentials(sess, stsRole, func(p *stscreds.AssumeRoleProvider) { p.ExternalID = aws.String(externalID) })
+		var assumedCredentials *credentials.Credentials
+		if externalID != "" {
+			assumedCredentials = stscreds.NewCredentials(sess, stsRole, func(p *stscreds.AssumeRoleProvider) { p.ExternalID = aws.String(externalID) })
+		} else {
+			assumedCredentials = stscreds.NewCredentials(sess, stsRole)
+		}
 		// Test that we actually have permissions to assume the role
 		if _, err = assumedCredentials.Get(); err != nil {
 			return nil, err
diff --git a/changelog/27858.txt b/changelog/27858.txt
new file mode 100644
index 0000000000..398d94ac43
--- /dev/null
+++ b/changelog/27858.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/aws: fixes an issue where not supplying an external id was interpreted as an empty external id
+```