Default `role-session-name` to `${{ github.run_id}}` to improve CloudTrail experience

[arianvp]

Describe the feature

Could we default role-session-name to ${{ github.run_id }}?

Use Case

I want to correlate which AWS actions were performed by which workflow run in audit logs.
The CloudTrail log for sts:AssumeRoleWithWebIdentity unfortunately only logs the sub and aud claims but not the other claims of the Github ID token. This means I can not correlate back which run called the assume-role, leaving a hole in auditability.

If we'd set the role-session-name to the run-id then we can correlate actions performed in CloudTrail back to the run that executed them.

Proposed Solution

Default role-session-name to ${{ github.run_id }}

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[arianvp]

I can manually do this of course. But having this as a default would be great.

[indy-singh]

We've done this for 1+ year and it has immensely helped with visibility and auditability. I think ${{ github.run_id }} makes total sense as a default.

I was looking to additionally tag the session with the repo name, so that we could reconstruct the run id

https://github.com/{{org_name}}/{{repo_name}}/actions/runs/{{run_id}}

The information does exist as seen here:-

configure-aws-credentials/src/assumeRole.ts

Line 103 in ececac1

const tagArray: Tag[] = [

But it appears that the tags are explicitly delete here:-

configure-aws-credentials/src/assumeRole.ts

Line 11 in ececac1

delete params.Tags;

Cheers,
Indy

[arianvp]

AssumeRoleWithWebIdentity unfortunately doesn't support tagging sessions except for structuring your ID token on a certain format which GitHub actions doesn't do :(

[indy-singh]

Ah yeah, sorry I forgot to update my comment last night.

It's documented here:-

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRoleWithWebIdentityCommandInput/

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRoleCommandInput/

Kinda of disappointing really. I don't want to have to hack in something to the role-session-name.

[lehmanmj]

Thanks for the suggestion. The default role-session-name has not been changed, as that might cause problems for users who rely on it being "GitHubActions". However, the ReadMe has been updated (#1336) to note this is a helpful feature for auditing.

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.