When using federated login with IAM credentials, the Federated token username is not easily attributable to a real user in the Cloudtrail event logs.
For instance, on the CloudTrail event entry for GetFederationTokenInfo, the user name might be John.Smith, but the created federated token user's user name would be something like AIDA... as currently the aws:userid (ref1ref2) is being used.
This makes it hard to quickly attribute the real user to the federated user's events from the list view.
This is different from the assumed-role/SSO types of logins where the user name appears to correctly propagate into the session user (e.g. John.Smith@company.com).
The proposal is to use the aws:username, which would be something like John.Smith.
This is to further enhance the work done in #469 by addressing the feedback in the comments.
When using federated login with IAM credentials, the Federated token username is not easily attributable to a real user in the Cloudtrail event logs.
For instance, on the CloudTrail event entry for GetFederationTokenInfo, the user name might be John.Smith, but the created federated token user's user name would be something like AIDA... as currently the
aws:userid
(ref1 ref2) is being used.This makes it hard to quickly attribute the real user to the federated user's events from the list view.
This is different from the assumed-role/SSO types of logins where the user name appears to correctly propagate into the session user (e.g.
John.Smith@company.com
).The proposal is to use the
aws:username
, which would be something like John.Smith.This is to further enhance the work done in #469 by addressing the feedback in the comments.
Originally referenced in #387
Thanks!