From 8008f500d0370a012fd40c73f83656f90c8cee88 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 14 Nov 2023 12:32:24 +0100
Subject: [PATCH] - aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add
 auth_type parameter   and AWS Policy based authentication type

  Resolves: RHEL-16247
---
 ...route53-awseip-awsvip-auth_type-role.patch | 534 ++++++++++++++++++
 ha-cloud-support-aws.patch                    |  13 +-
 resource-agents.spec                          |  10 +-
 3 files changed, 550 insertions(+), 7 deletions(-)
 create mode 100644 RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch

diff --git a/RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch b/RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
new file mode 100644
index 0000000..e43cdbf
--- /dev/null
+++ b/RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
@@ -0,0 +1,534 @@
+From a1177407608887970cafbfe7ad9bf97570c739dd Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Mon, 6 Nov 2023 15:49:44 +0100
+Subject: [PATCH] aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type
+ parameter and AWS Policy based authentication type
+
+---
+ heartbeat/aws-vpc-move-ip    | 40 ++++++++++++++++++----
+ heartbeat/aws-vpc-route53.in | 44 +++++++++++++++++++-----
+ heartbeat/awseip             | 65 +++++++++++++++++++++++++++---------
+ heartbeat/awsvip             | 59 +++++++++++++++++++++++++-------
+ 4 files changed, 166 insertions(+), 42 deletions(-)
+
+diff --git a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
+index dee040300f..3fa93cd4af 100755
+--- a/heartbeat/aws-vpc-move-ip
++++ b/heartbeat/aws-vpc-move-ip
+@@ -36,6 +36,7 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
+ OCF_RESKEY_ip_default=""
+@@ -48,6 +49,7 @@ OCF_RESKEY_monapi_default="false"
+ OCF_RESKEY_lookup_type_default="InstanceId"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
+ : ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
+@@ -58,8 +60,6 @@ OCF_RESKEY_lookup_type_default="InstanceId"
+ : ${OCF_RESKEY_iflabel=${OCF_RESKEY_iflabel_default}}
+ : ${OCF_RESKEY_monapi=${OCF_RESKEY_monapi_default}}
+ : ${OCF_RESKEY_lookup_type=${OCF_RESKEY_lookup_type_default}}
+-
+-[ -n "$OCF_RESKEY_region" ] && region_opt="--region $OCF_RESKEY_region"
+ #######################################################################
+ 
+ 
+@@ -83,6 +83,10 @@ cat <<END
+ <longdesc lang="en">
+ Resource Agent to move IP addresses within a VPC of the Amazon Webservices EC2
+ by changing an entry in an specific routing table
++
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
++
++See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+ <shortdesc lang="en">Move IP within a VPC of the AWS EC2</shortdesc>
+ 
+@@ -95,6 +99,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -198,7 +211,7 @@ END
+ execute_cmd_as_role(){
+ 	cmd=$1
+ 	role=$2
+-	output="$($OCF_RESKEY_awscli sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --profile $OCF_RESKEY_profile $region_opt --output=text)"
++	output="$($AWSCLI_CMD sts assume-role --role-arn $role --role-session-name AWSCLI-RouteTableUpdate --output=text)"
+ 	export AWS_ACCESS_KEY_ID="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $5}')"
+ 	export AWS_SECRET_ACCESS_KEY="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $7}')"
+ 	export AWS_SESSION_TOKEN="$(echo $output | awk -F" " '$4=="CREDENTIALS" {print $8}')"
+@@ -224,7 +237,7 @@ ec2ip_validate() {
+ 		check_binary "$cmd"
+ 	done
+ 
+-	if [ -z "$OCF_RESKEY_profile" ]; then
++	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+ 		ocf_exit_reason "profile parameter not set"
+ 		return $OCF_ERR_CONFIGURED
+ 	fi
+@@ -262,7 +275,7 @@ ec2ip_monitor() {
+ 		for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 			ocf_log info "monitor: check routing table (API call) - $rtb"
+ 			if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-				cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
++				cmd="$AWSCLI_CMD --output text ec2 describe-route-tables --route-table-ids $rtb --query RouteTables[*].Routes[?DestinationCidrBlock=='$OCF_RESKEY_ip/32'].$OCF_RESKEY_lookup_type"
+ 				ocf_log debug "executing command: $cmd"
+ 				ROUTE_TO_INSTANCE="$($cmd)"
+ 			else
+@@ -368,7 +381,7 @@ ec2ip_get_and_configure() {
+ 	EC2_NETWORK_INTERFACE_ID="$(ec2ip_get_instance_eni)"
+ 	for rtb in $(echo $OCF_RESKEY_routing_table | sed -e 's/,/ /g'); do
+ 		if [ -z "${OCF_RESKEY_routing_table_role}" ]; then
+-			cmd="$OCF_RESKEY_awscli --profile $OCF_RESKEY_profile $region_opt --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
++			cmd="$AWSCLI_CMD --output text ec2 replace-route --route-table-id $rtb --destination-cidr-block ${OCF_RESKEY_ip}/32 --network-interface-id $EC2_NETWORK_INTERFACE_ID"
+ 			ocf_log debug "executing command: $cmd"
+ 			$cmd
+ 		else
+@@ -475,6 +488,21 @@ if ! ocf_is_root; then
+ 	exit $OCF_ERR_PERM
+ fi
+ 
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
++
+ ec2ip_set_address_param_compat
+ 
+ ec2ip_validate
+diff --git a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
+index 22cbb35833..911f15f59f 100644
+--- a/heartbeat/aws-vpc-route53.in
++++ b/heartbeat/aws-vpc-route53.in
+@@ -46,24 +46,22 @@
+ 
+ # Defaults
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_hostedzoneid_default=""
+ OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_ip_default="local"
+ OCF_RESKEY_ttl_default=10
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_hostedzoneid:=${OCF_RESKEY_hostedzoneid_default}}
+ : ${OCF_RESKEY_fullname:=${OCF_RESKEY_fullname_default}}
+ : ${OCF_RESKEY_ip:=${OCF_RESKEY_ip_default}}
+ : ${OCF_RESKEY_ttl:=${OCF_RESKEY_ttl_default}}
+-#######################################################################
+-
+-
+-AWS_PROFILE_OPT="--profile $OCF_RESKEY_profile --cli-connect-timeout 10"
+-#######################################################################
+-
+ 
+ usage() {
+ 	cat <<-EOT
+@@ -123,6 +121,15 @@ Path to command line tools for AWS
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ The name of the AWS CLI profile of the root account. This
+@@ -216,7 +223,10 @@ r53_validate() {
+ 	esac
+ 
+ 	# profile
+-	[[ -z "$OCF_RESKEY_profile" ]] && ocf_log error "AWS CLI profile not set $OCF_RESKEY_profile!" && exit $OCF_ERR_CONFIGURED
++	if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
++		ocf_exit_reason "profile parameter not set"
++		return $OCF_ERR_CONFIGURED
++	fi
+ 
+ 	# TTL
+ 	[[ -z "$OCF_RESKEY_ttl" ]] && ocf_log error "TTL not set $OCF_RESKEY_ttl!" && exit $OCF_ERR_CONFIGURED
+@@ -417,7 +427,6 @@ _update_record() {
+ }
+ 
+ ###############################################################################
+-
+ case $__OCF_ACTION in
+ 	usage|help)
+ 		usage
+@@ -427,6 +436,25 @@ case $__OCF_ACTION in
+ 		metadata
+ 		exit $OCF_SUCCESS
+ 		;;
++esac
++
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
++AWSCLI_CMD="$AWSCLI_CMD --cli-connect-timeout 10"
++
++case $__OCF_ACTION in
+ 	start)
+ 		r53_validate || exit $?
+ 		r53_start
+diff --git a/heartbeat/awseip b/heartbeat/awseip
+index dc48460c85..f93b5a3434 100755
+--- a/heartbeat/awseip
++++ b/heartbeat/awseip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
++#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
++#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availability
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -44,11 +45,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -63,7 +68,7 @@ Resource Agent for Amazon AWS Elastic IP Addresses.
+ 
+ It manages AWS Elastic IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -79,6 +84,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -111,6 +125,14 @@ predefined private ip address for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
++<parameter name="region" required="0">
++<longdesc lang="en">
++Region for AWS resource (required for role-based authentication)
++</longdesc>
++<shortdesc lang="en">Region</shortdesc>
++<content type="string" default="${OCF_RESKEY_region_default}" />
++</parameter>
++
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -157,13 +179,13 @@ awseip_start() {
+                 NETWORK_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/${MAC}/interface-id -H "X-aws-ec2-metadata-token: $TOKEN")
+             fi
+         done
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
++        $AWSCLI_CMD ec2 associate-address  \
+             --network-interface-id ${NETWORK_ID} \
+             --allocation-id ${ALLOCATION_ID} \
+             --private-ip-address ${PRIVATE_IP_ADDRESS}
+         RET=$?
+     else
+-        $AWSCLI --profile $OCF_RESKEY_profile ec2 associate-address  \
++        $AWSCLI_CMD ec2 associate-address  \
+             --instance-id ${INSTANCE_ID} \
+             --allocation-id ${ALLOCATION_ID}
+         RET=$?
+@@ -183,7 +205,7 @@ awseip_start() {
+ awseip_stop() {
+     awseip_monitor || return $OCF_SUCCESS
+ 
+-    ASSOCIATION_ID=$($AWSCLI --profile $OCF_RESKEY_profile --output json ec2 describe-addresses \
++    ASSOCIATION_ID=$($AWSCLI_CMD --output json ec2 describe-addresses \
+                          --allocation-id ${ALLOCATION_ID} | grep -m 1 "AssociationId" | awk -F'"' '{print$4}')
+ 
+     if [ -z "${ASSOCIATION_ID}" ]; then
+@@ -191,9 +213,7 @@ awseip_stop() {
+         return $OCF_NOT_RUNNING
+     fi
+ 
+-    $AWSCLI --profile ${OCF_RESKEY_profile} \
+-        ec2 disassociate-address \
+-        --association-id ${ASSOCIATION_ID}
++    $AWSCLI_CMD ec2 disassociate-address --association-id ${ASSOCIATION_ID}
+     RET=$?
+ 
+     # delay to avoid sending request too fast
+@@ -208,7 +228,7 @@ awseip_stop() {
+ }
+ 
+ awseip_monitor() {
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
++    $AWSCLI_CMD ec2 describe-instances --instance-id "${INSTANCE_ID}" | grep -q "${ELASTIC_IP}"
+     RET=$?
+ 
+     if [ $RET -ne 0 ]; then
+@@ -220,7 +240,7 @@ awseip_monitor() {
+ awseip_validate() {
+     check_binary ${AWSCLI}
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
++    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -238,9 +258,26 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
+-esac 
++    usage|help)
++        awseip_usage
++        exit $OCF_SUCCESS
++        ;;
++esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
+ ELASTIC_IP="${OCF_RESKEY_elastic_ip}"
+ ALLOCATION_ID="${OCF_RESKEY_allocation_id}"
+ PRIVATE_IP_ADDRESS="${OCF_RESKEY_private_ip_address}"
+@@ -272,10 +309,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awseip_validate
+         ;;
+-    usage|help)
+-        awseip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awseip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
+diff --git a/heartbeat/awsvip b/heartbeat/awsvip
+index 037278e296..7e6cc23d64 100755
+--- a/heartbeat/awsvip
++++ b/heartbeat/awsvip
+@@ -23,7 +23,8 @@
+ #
+ #  Prerequisites:
+ #
+-#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.)
++#  - preconfigured AWS CLI running environment (AccessKey, SecretAccessKey, etc.) or
++#    (AWSRole) Setup up relevant AWS Policies to allow agent related functions to be executed.
+ #  - a reserved secondary private IP address for EC2 instances high availablity
+ #  - IAM user role with the following permissions:
+ #    * DescribeInstances
+@@ -43,11 +44,15 @@
+ # Defaults
+ #
+ OCF_RESKEY_awscli_default="/usr/bin/aws"
++OCF_RESKEY_auth_type_default="key"
+ OCF_RESKEY_profile_default="default"
++OCF_RESKEY_region_default=""
+ OCF_RESKEY_api_delay_default="3"
+ 
+ : ${OCF_RESKEY_awscli=${OCF_RESKEY_awscli_default}}
++: ${OCF_RESKEY_auth_type=${OCF_RESKEY_auth_type_default}}
+ : ${OCF_RESKEY_profile=${OCF_RESKEY_profile_default}}
++: ${OCF_RESKEY_region=${OCF_RESKEY_region_default}}
+ : ${OCF_RESKEY_api_delay=${OCF_RESKEY_api_delay_default}}
+ 
+ meta_data() {
+@@ -62,7 +67,7 @@ Resource Agent for Amazon AWS Secondary Private IP Addresses.
+ 
+ It manages AWS Secondary Private IP Addresses with awscli.
+ 
+-Credentials needs to be setup by running "aws configure".
++Credentials needs to be setup by running "aws configure", or by using AWS Policies.
+ 
+ See https://aws.amazon.com/cli/ for more information about awscli.
+ </longdesc>
+@@ -78,6 +83,15 @@ command line tools for aws services
+ <content type="string" default="${OCF_RESKEY_awscli_default}" />
+ </parameter>
+ 
++<parameter name="auth_type">
++<longdesc lang="en">
++Authentication type "key" for AccessKey and SecretAccessKey set via "aws configure",
++or "role" to use AWS Policies.
++</longdesc>
++<shortdesc lang="en">Authentication type</shortdesc>
++<content type="string" default="${OCF_RESKEY_auth_type_default}" />
++</parameter>
++
+ <parameter name="profile">
+ <longdesc lang="en">
+ Valid AWS CLI profile name (see ~/.aws/config and 'aws configure')
+@@ -94,6 +108,14 @@ reserved secondary private ip for ec2 instance
+ <content type="string" default="" />
+ </parameter>
+ 
++<parameter name="region" required="0">
++<longdesc lang="en">
++Region for AWS resource (required for role-based authentication)
++</longdesc>
++<shortdesc lang="en">Region</shortdesc>
++<content type="string" default="${OCF_RESKEY_region_default}" />
++</parameter>
++
+ <parameter name="api_delay" unique="0">
+ <longdesc lang="en">
+ a short delay between API calls, to avoid sending API too quick
+@@ -131,7 +153,7 @@ END
+ awsvip_start() {
+     awsvip_monitor && return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 assign-private-ip-addresses \
++    $AWSCLI_CMD ec2 assign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP} \
+         --allow-reassignment
+@@ -151,7 +173,7 @@ awsvip_start() {
+ awsvip_stop() {
+     awsvip_monitor || return $OCF_SUCCESS
+ 
+-    $AWSCLI --profile $OCF_RESKEY_profile ec2 unassign-private-ip-addresses \
++    $AWSCLI_CMD ec2 unassign-private-ip-addresses \
+         --network-interface-id ${NETWORK_ID} \
+         --private-ip-addresses ${SECONDARY_PRIVATE_IP}
+     RET=$?
+@@ -168,7 +190,7 @@ awsvip_stop() {
+ }
+ 
+ awsvip_monitor() {
+-    $AWSCLI --profile ${OCF_RESKEY_profile} ec2 describe-instances \
++    $AWSCLI_CMD ec2 describe-instances \
+             --instance-id "${INSTANCE_ID}" \
+             --query 'Reservations[].Instances[].NetworkInterfaces[].PrivateIpAddresses[].PrivateIpAddress[]' \
+             --output text | \
+@@ -182,9 +204,9 @@ awsvip_monitor() {
+ }
+ 
+ awsvip_validate() {
+-    check_binary ${AWSCLI}
++    check_binary ${OCF_RESKEY_awscli}
+ 
+-    if [ -z "$OCF_RESKEY_profile" ]; then
++    if [ "x${OCF_RESKEY_auth_type}" = "xkey" ] && [ -z "$OCF_RESKEY_profile" ]; then
+         ocf_exit_reason "profile parameter not set"
+         return $OCF_ERR_CONFIGURED
+     fi
+@@ -202,9 +224,26 @@ case $__OCF_ACTION in
+         meta_data
+         exit $OCF_SUCCESS
+         ;;
++    usage|help)
++        awsvip_usage
++        exit $OCF_SUCCESS
++        ;;
+ esac
+ 
+-AWSCLI="${OCF_RESKEY_awscli}"
++if [ "x${OCF_RESKEY_auth_type}" = "xkey" ]; then
++	AWSCLI_CMD="${OCF_RESKEY_awscli} --profile ${OCF_RESKEY_profile}"
++elif [ "x${OCF_RESKEY_auth_type}" = "xrole" ]; then
++	if [ -z "${OCF_RESKEY_region}" ]; then
++		ocf_exit_reason "region needs to be set when using role-based authentication"
++		exit $OCF_ERR_CONFIGURED
++	fi
++else
++	ocf_exit_reason "Incorrect auth_type: ${OCF_RESKEY_auth_type}"
++	exit $OCF_ERR_CONFIGURED
++fi
++if [ -n "${OCF_RESKEY_region}" ]; then
++	AWSCLI_CMD="$AWSCLI_CMD --region ${OCF_RESKEY_region}"
++fi
+ SECONDARY_PRIVATE_IP="${OCF_RESKEY_secondary_private_ip}"
+ TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+ INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id -H "X-aws-ec2-metadata-token: $TOKEN")
+@@ -236,10 +275,6 @@ case $__OCF_ACTION in
+     validate|validate-all)
+         awsvip_validate
+         ;;
+-    usage|help)
+-        awsvip_usage
+-        exit $OCF_SUCCESS
+-        ;;
+     *)
+         awsvip_usage
+         exit $OCF_ERR_UNIMPLEMENTED
diff --git a/ha-cloud-support-aws.patch b/ha-cloud-support-aws.patch
index fbda111..b05e936 100644
--- a/ha-cloud-support-aws.patch
+++ b/ha-cloud-support-aws.patch
@@ -7,9 +7,10 @@ diff --color -uNr a/heartbeat/awseip b/heartbeat/awseip
  #
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
+ OCF_RESKEY_region_default=""
  OCF_RESKEY_api_delay_default="3"
- 
 diff --color -uNr a/heartbeat/awsvip b/heartbeat/awsvip
 --- a/heartbeat/awsvip	2020-12-03 14:31:17.000000000 +0100
 +++ b/heartbeat/awsvip	2021-02-15 16:47:48.960632484 +0100
@@ -19,9 +20,9 @@ diff --color -uNr a/heartbeat/awsvip b/heartbeat/awsvip
  #
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
- OCF_RESKEY_api_delay_default="3"
- 
+ OCF_RESKEY_region_default=""
 diff --color -uNr a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
 --- a/heartbeat/aws-vpc-move-ip	2020-12-03 14:31:17.000000000 +0100
 +++ b/heartbeat/aws-vpc-move-ip	2021-02-15 16:47:55.484644118 +0100
@@ -31,9 +32,9 @@ diff --color -uNr a/heartbeat/aws-vpc-move-ip b/heartbeat/aws-vpc-move-ip
  # Defaults
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
  OCF_RESKEY_region_default=""
- OCF_RESKEY_ip_default=""
 diff --color -uNr a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
 --- a/heartbeat/aws-vpc-route53.in	2020-12-03 14:31:17.000000000 +0100
 +++ b/heartbeat/aws-vpc-route53.in	2021-02-15 16:47:59.808651828 +0100
@@ -43,6 +44,6 @@ diff --color -uNr a/heartbeat/aws-vpc-route53.in b/heartbeat/aws-vpc-route53.in
  # Defaults
 -OCF_RESKEY_awscli_default="/usr/bin/aws"
 +OCF_RESKEY_awscli_default="/usr/lib/fence-agents/support/awscli/bin/aws"
+ OCF_RESKEY_auth_type_default="key"
  OCF_RESKEY_profile_default="default"
- OCF_RESKEY_hostedzoneid_default=""
- OCF_RESKEY_fullname_default=""
+ OCF_RESKEY_region_default=""
diff --git a/resource-agents.spec b/resource-agents.spec
index 0304d3b..acfb20c 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -45,7 +45,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.10.0
-Release:	47%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	48%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 Source0:	%{upstream_prefix}-%{upstream_version}.tar.gz
@@ -115,6 +115,7 @@ Patch62:	rhel-979-storage-mon-2-remove-unnecessary-code.patch
 Patch63:	RHEL-15301-1-exportfs-make-fsid-optional.patch
 Patch64:	RHEL-15301-2-ocft-exportfs-remove-fsid-required-test.patch
 Patch65:	RHEL-15304-findif.sh-fix-loopback-handling.patch
+Patch66:	RHEL-16247-aws-vpc-move-ip-aws-vpc-route53-awseip-awsvip-auth_type-role.patch
 
 # bundled ha-cloud-support libs
 Patch500:	ha-cloud-support-aws.patch
@@ -304,6 +305,7 @@ exit 1
 %patch -p1 -P 63
 %patch -p1 -P 64
 %patch -p1 -P 65
+%patch -p1 -P 66
 
 # bundled ha-cloud-support libs
 %patch -p1 -P 500
@@ -625,6 +627,12 @@ rm -rf %{buildroot}/usr/share/doc/resource-agents
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Tue Nov 14 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-48
+- aws-vpc-move-ip/aws-vpc-route53/awseip/awsvip: add auth_type parameter
+  and AWS Policy based authentication type
+
+  Resolves: RHEL-16247
+
 * Thu Nov  2 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-47
 - exportfs: make "fsid" parameter optional
 - findif.sh: fix loopback IP handling