daschaa
commented
2 years ago Does this has to be behind a feature flag?
Open rittneje opened 2 years ago
daschaa
commented
2 years ago Does this has to be behind a feature flag?
rittneje
commented
2 years ago @daschaa No, setting the environment variable or command line argument or whatever that specifies the custom role session name will suffice for the opt-in. If that is not set then it should continue to work the way it does today.
daschaa
commented
2 years ago @rittneje Yes that is true, we just have to make sure that the environment variable is not set in some CI/CD pipeline by mistake.
Do you have an idea how the environment variable could be named 🤔
rittneje
commented
2 years ago @daschaa I think something simple like AWS_CDK_ROLE_SESSION_NAME should suffice. Barring that, it would even be good enough for our purposes for CDK to just reuse the role session name from the original credentials (assuming they are from a role assumption as opposed to an IAM user).
arkadiyt
commented
2 months ago Would love to see this feature, it's a bummer the linked PR wasn't able to be merged
Describe the feature
When CDK automatically assumes a role (such as cdk-hnb659fds-deploy-role), currently it hard-codes the role session name to be "aws-cdk-\<username>". This is not particularly useful for auditing when deployments are made via a CICD pipeline.
https://github.com/aws/aws-cdk/blob/400ad91cb926fb0a6d71039f8eba3bb63e7c8ca8/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts#L348
Instead, it should allow specifying the role session name, either through a command line flag or through an environment variable.
Use Case
See above.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.28.0 (build ba233f0)
Environment details (OS name and version, etc.)
Alpine 3.16, Python 3.10.5