search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.29k stars 4.07k forks source link

Option to preserve `role_session_name` when chaining roles #8797

Open taraspos opened 1 month ago

taraspos commented 1 month ago

Describe the feature

Currently, if no role_session_name is set it's being by set to default value like botocore-session-xxxxxxx. However, would be great to have an option to preserve existing role_session_name when chaining roles.

Use Case

When using IAM Identity Center initially created session has role_session_name automatically set to the user name like john.doe@example.com. However on subsequent AssumeRole calls, initial session name is being lost and replaced with botocore-session-xxxxxxx. I would like to have an option to preserve original session name when chaining roles.

Proposed Solution

Let's say following configuration is used:

[profile sso]
sso_start_url = https://test.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = SSORole
region = us-east-1

[profile operator]
role_arn = arn:aws:iam::123456789012:role/operator-role
region = us-east-1
source_profile = sso
+preserve_source_role_session_name = true

Other Information

No response

Acknowledgements

CLI version used

aws-cli/2.17.11

Environment details (OS name and version, etc.)

Darwin/23.5.0

tim-finnigan commented 1 month ago

Thanks for the feature request. Can't you specify role_session_name in your profile or the AWS_ROLE_SESSION_NAME environment variable? Also --role-session-name is passed in the assume-role commands. Or you're saying this is specifically an issue when using source_profile/SSO?

taraspos commented 1 month ago

This is an issue in general when chaining AssumeRole's. Yes, I can specify some static value as role_session_name on every AssumeRole and it will work, however in case of source_profile/SSO initial Session Name is being set automatically by SSO federation and would be great to have option to automatically pass it into the next AssumeRole.

tim-finnigan commented 1 month ago

Thanks for following up, I think for now we can try to get more input and community discussion here regarding this feature request. Others can also 👍 your post if interested in this.