allow customizing role session name

[rittneje]

Describe the feature

When CDK automatically assumes a role (such as cdk-hnb659fds-deploy-role), currently it hard-codes the role session name to be "aws-cdk-<username>". This is not particularly useful for auditing when deployments are made via a CICD pipeline.

aws-cdk/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts

Line 348 in 400ad91

RoleSessionName: `aws-cdk-${safeUsername()}`,

Instead, it should allow specifying the role session name, either through a command line flag or through an environment variable.

Use Case

See above.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.28.0 (build ba233f0)

Environment details (OS name and version, etc.)

Alpine 3.16, Python 3.10.5

[daschaa]

Does this has to be behind a feature flag?

[rittneje]

@daschaa No, setting the environment variable or command line argument or whatever that specifies the custom role session name will suffice for the opt-in. If that is not set then it should continue to work the way it does today.

[daschaa]

@rittneje Yes that is true, we just have to make sure that the environment variable is not set in some CI/CD pipeline by mistake.

Do you have an idea how the environment variable could be named 🤔

[rittneje]

@daschaa I think something simple like AWS_CDK_ROLE_SESSION_NAME should suffice. Barring that, it would even be good enough for our purposes for CDK to just reuse the role session name from the original credentials (assuming they are from a role assumption as opposed to an IAM user).

[arkadiyt]

Would love to see this feature, it's a bummer the linked PR wasn't able to be merged