Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to preserve role_session_name when chaining roles #8797

Open
2 tasks
taraspos opened this issue Jul 12, 2024 · 3 comments
Open
2 tasks

Option to preserve role_session_name when chaining roles #8797

taraspos opened this issue Jul 12, 2024 · 3 comments
Labels
assume-role configuration feature-request A feature should be added or improved. p2 This is a standard priority issue sso

Comments

@taraspos
Copy link

Describe the feature

Currently, if no role_session_name is set it's being by set to default value like botocore-session-xxxxxxx.
However, would be great to have an option to preserve existing role_session_name when chaining roles.

Use Case

When using IAM Identity Center initially created session has role_session_name automatically set to the user name like john.doe@example.com. However on subsequent AssumeRole calls, initial session name is being lost and replaced with botocore-session-xxxxxxx. I would like to have an option to preserve original session name when chaining roles.

Proposed Solution

Let's say following configuration is used:

[profile sso]
sso_start_url = https://test.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = SSORole
region = us-east-1

[profile operator]
role_arn = arn:aws:iam::123456789012:role/operator-role
region = us-east-1
source_profile = sso
+preserve_source_role_session_name = true

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

aws-cli/2.17.11

Environment details (OS name and version, etc.)

Darwin/23.5.0
@taraspos taraspos added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jul 12, 2024
@tim-finnigan tim-finnigan self-assigned this Jul 12, 2024
@tim-finnigan
Copy link
Contributor

Thanks for the feature request. Can't you specify role_session_name in your profile or the AWS_ROLE_SESSION_NAME environment variable? Also --role-session-name is passed in the assume-role commands. Or you're saying this is specifically an issue when using source_profile/SSO?

@tim-finnigan tim-finnigan added configuration response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jul 12, 2024
@taraspos
Copy link
Author

This is an issue in general when chaining AssumeRole's. Yes, I can specify some static value as role_session_name on every AssumeRole and it will work, however in case of source_profile/SSO initial Session Name is being set automatically by SSO federation and would be great to have option to automatically pass it into the next AssumeRole.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 12, 2024
@tim-finnigan
Copy link
Contributor

Thanks for following up, I think for now we can try to get more input and community discussion here regarding this feature request. Others can also 👍 your post if interested in this.

@tim-finnigan tim-finnigan removed their assignment Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
assume-role configuration feature-request A feature should be added or improved. p2 This is a standard priority issue sso
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@taraspos @tim-finnigan