Allow for ExternalId when performing sts-assume-role

[rfairburn]

Problem

As a user of Fleet cloud, I would like to be able to provide an ExternalId as part of the assume role process.

Fleet currently supports assuming roles for cross-account data delivery to sources such as Firehose, but does not currently allow specifying an ExternalId as part of the assume role request.

See the following links for more information: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

The aws sdk for go Fleet uses already supports this, we would just need to pass in the parameter. See: https://docs.aws.amazon.com/sdk-for-go/api/service/sts/

Potential solutions

1. Provide an optional ExternalId variable in additon to the sts_assume_role arns. The immediate use-case is for Firehose, but any integration that allows for assume role would benefit from this feature.

[noahtalerman]

Hey @lukeheath, it looks we we have an open PR for this request: https://github.com/fleetdm/fleet/pull/18901

I moved this request off the feature fest board to the #g-customer-success board.

Please feel free to move it if that's not the right place.

[lukeheath]

@rfairburn We're moving this ticket to the Customer Success board so you can track it there since there is already a PR in review.

[fleet-release]

ExternalId brings peace, Secure in the cloud city, Fleet's role now increased.