From 216eb365422ffdc78151008ca56e8820dc136ca9 Mon Sep 17 00:00:00 2001
From: pjanik <janikpiotrek@gmail.com>
Date: Wed, 15 Jul 2020 14:58:22 +0200
Subject: [PATCH] Truncate RoleSessionName when necessary

[#173812777]
---
 functions/src/base-resource-object.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/functions/src/base-resource-object.ts b/functions/src/base-resource-object.ts
index 7b3a0ba..54cc8a7 100644
--- a/functions/src/base-resource-object.ts
+++ b/functions/src/base-resource-object.ts
@@ -424,12 +424,20 @@ export class S3ResourceObject extends BaseResourceObject {
         accessKeyId: config.aws.key,
         secretAccessKey: config.aws.secret
       });
+      let roleSessionName = `token-service-${this.type}-${this.tool}-${this.id}`;
+      // Max length of this value is 64, see: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
+      // Preprocess roleSessionName when necessary.
+      if (roleSessionName.length > 64) {
+        // md5 hash has 32 characters.
+        const md5Hash = crypto.createHash("md5").update(`${this.type}-${this.tool}-${this.id}`).digest("hex");
+        roleSessionName = `token-service-${md5Hash}`;
+      }
       const params: STS.AssumeRoleRequest = {
         DurationSeconds: config.aws.s3credentials.duration,
         // ExternalId: // not needed
         Policy: policy,
         RoleArn: config.aws.s3credentials.rolearn,
-        RoleSessionName: `token-service-${this.type}-${this.tool}-${this.id}`
+        RoleSessionName: roleSessionName
       };
       sts.assumeRole(params, (err, data) => {
         if (err) {