search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.34k stars 4.08k forks source link

Inherit `role_session_name` from the profile specified by `source_profile` #8893

Open yermulnik opened 1 week ago

yermulnik commented 1 week ago

Describe the feature

To simplify AWS CLI profiles configuration it would be great to have an option to inherit role_session_name from the profile specified by source_profile.

Use Case

We've got about 150-200 AWS CLI profiles configured to use source_profile to inherit credentials for assume role and each needs an individual role_session_name option to be set. It would drastically simplify things if role_session_name could be inherited from the profile supplied with source_profile parameter. Thanks.

Proposed Solution

Inherit role_session_name from the profile specified by source_profile.

Other Information

No response

Acknowledgements

CLI version used

aws-cli/2.17.42 Python/3.11.9 Linux/6.6.5-060605-generic source/x86_64.ubuntu.22

Environment details (OS name and version, etc.)

Ubuntu 22.04.4 LTS (Jammy Jellyfish)

tim-finnigan commented 1 week ago

Thanks for reaching out. The AWS CLI documentation for role_session_name notes:

role_session_name - The name applied to this assume-role session. This value affects the assumed role user ARN (such as arn:aws:sts::123456789012:assumed-role/role_name/role_session_name). This maps to the RoleSessionName parameter in the AssumeRole operation. This is an optional parameter. If you do not provide this value, a session name will be automatically generated.

Since this is optional/automatically generated, can you share more details on your use case regarding why this is needed?

yermulnik commented 1 week ago

can you share more details on your use case regarding why this is needed?

@tim-finnigan We'd be keen to provide a common AWS CLI configuration template with role_session_name supplied per user so that assumed role ARN is set to something meaningful like arn:aws:sts::123456789012:assumed-role/role_name/name.surname@domain.com instead of auto-generated arn:aws:sts::123456789012:assumed-role/role_name/botocore-session-<timestamp>.

Such meaningful ARN simplifies identification of users when debugging or investigating issues w/o a need to dig into looking up who was assuming the role at that time from our single sign-on AWS account.

We do understand that users can customize this value, though given vast majority of users ain't into tech savvy we expect them to be able to adjust a single string in default profile so that role_session_name is populated via inheritance provided by source_profile to other pre-defined profiles instead of asking users to adjust role_session_name in each of the profiles that are pre-defined (each team has about several dozens of AWS CLI profiles to assume roles in each of our AWS accounts and DevOps team has a total of 150-200 profiles they need to work with and validate for other teams) or profiles that they create on their own per specific use cases.