matpompili
commented
1 month ago Somewhat connected to https://github.com/aws/aws-cli/issues/6692, I think both features could be addressed by the same PR.
Open matpompili opened 1 month ago
matpompili
commented
1 month ago Somewhat connected to https://github.com/aws/aws-cli/issues/6692, I think both features could be addressed by the same PR.
tim-finnigan
commented
1 month ago Thanks for reaching out. Requests for new config options/environment variables will need to be reviewed at a cross-SDK level since AWS SDKs, in addition to the CLI, use these configurations.
This does seem closely related to https://github.com/aws/aws-cli/issues/6692 as you mentioned. We might want to consolidate these for tracking. Wouldn't adding a configuration option for session tags meet the use case described here? Linking some other related docs for reference:
matpompili
commented
1 month ago I am not sure setting a SessionTag only would work in my case, as I need to enable transitive tags for ${aws:PrincipalTag/user_group}, which is set using IdP information by the AssumeRoleWithWebIdentity, not directly by setting a tag value in the config file.
Describe the feature
Adding an option to the
[profile ...]section of the config file, that allows the use of transitive tags during assume role chains.Use Case
When calling any command in the CLI with the
--profileoption, the CLI automatically runs anassume_rolechain to get credentials for the target profile.To enable the use of ABAC policies via the CLI, one needs to be able to specify what tags need to be carried through the assume role chain.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CLI version used
aws-cli/2.17.24 Python
Environment details (OS name and version, etc.)
3.11.9 Darwin/22.6.0 source/arm64