Session Manager showing "botocore-session-xxxxxxxx" when the session started via CLI + AssumeRole - Githubissues

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).

https://aws.amazon.com/systems-manager/

Apache License 2.0

1.03k stars 323 forks source link

Session Manager showing "botocore-session-xxxxxxxx" when the session started via CLI + AssumeRole #534

Closed crispy101 closed 9 months ago

crispy101 commented 10 months ago

Issue Say you are using a cross account access role, i.e. authenticated in MASTER account to access PRODUCTION account. In ~/.aws/config:

[profile MASTER]

[profile PRODUCTION]
source_profile = MASTER
role_arn = arn:aws:iam::<ACCOUNT_ID_OF_PRODUCTION_ACCOUNT>:role/<ROLE_NAME>

Run the command below to open a session:

aws ssm start-session --target <Instance-ID> --profile PRODUCTION

Now SSM Session Manager console, as well as CloudTrail, sees "botocore-session-xxxxxxxx" instead of your username on the MASTER account.

Desired behaviour

Your username on the MASTER is shown in SSM Session Manager console and recorded in CloudTrail - this already happens when you start a session via the Console.

pjaybell commented 9 months ago

I've had the same issue and it's solvable by populating role_session_name in the ~/.aws/config file for each profile with the role_arn.

You can enforce a policy to make the role_session_name be provided. There's an example in the below link to AWS's docs which enforces the role_session_name must equal the user's AWS username.

https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/

Once you do that, the session name will be the value of role_session_name, not boto-session-xxxxx.

crispy101 commented 9 months ago

@pjaybell It works like a charm! Thanks very much!