Open yermulnik opened 1 week ago
Thanks for reaching out. The AWS CLI documentation for role_session_name
notes:
role_session_name
- The name applied to this assume-role session. This value affects the assumed role user ARN (such as arn:aws:sts::123456789012:assumed-role/role_name/role_session_name). This maps to theRoleSessionName
parameter in theAssumeRole
operation. This is an optional parameter. If you do not provide this value, a session name will be automatically generated.
Since this is optional/automatically generated, can you share more details on your use case regarding why this is needed?
can you share more details on your use case regarding why this is needed?
@tim-finnigan We'd be keen to provide a common AWS CLI configuration template with role_session_name
supplied per user so that assumed role ARN is set to something meaningful like arn:aws:sts::123456789012:assumed-role/role_name/name.surname@domain.com
instead of auto-generated arn:aws:sts::123456789012:assumed-role/role_name/botocore-session-<timestamp>
.
Such meaningful ARN simplifies identification of users when debugging or investigating issues w/o a need to dig into looking up who was assuming the role at that time from our single sign-on AWS account.
We do understand that users can customize this value, though given vast majority of users ain't into tech savvy we expect them to be able to adjust a single string in default
profile so that role_session_name
is populated via inheritance provided by source_profile
to other pre-defined profiles instead of asking users to adjust role_session_name
in each of the profiles that are pre-defined (each team has about several dozens of AWS CLI profiles to assume roles in each of our AWS accounts and DevOps team has a total of 150-200 profiles they need to work with and validate for other teams) or profiles that they create on their own per specific use cases.
Describe the feature
To simplify AWS CLI profiles configuration it would be great to have an option to inherit
role_session_name
from the profile specified bysource_profile
.Use Case
We've got about 150-200 AWS CLI profiles configured to use
source_profile
to inherit credentials for assume role and each needs an individualrole_session_name
option to be set. It would drastically simplify things ifrole_session_name
could be inherited from the profile supplied withsource_profile
parameter. Thanks.Proposed Solution
Inherit
role_session_name
from the profile specified bysource_profile
.Other Information
No response
Acknowledgements
CLI version used
aws-cli/2.17.42 Python/3.11.9 Linux/6.6.5-060605-generic source/x86_64.ubuntu.22
Environment details (OS name and version, etc.)
Ubuntu 22.04.4 LTS (Jammy Jellyfish)