Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow customizing role session name #21012

Open
2 tasks
rittneje opened this issue Jul 6, 2022 · 4 comments
Open
2 tasks

allow customizing role session name #21012

rittneje opened this issue Jul 6, 2022 · 4 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md p2

Comments

@rittneje
Copy link

rittneje commented Jul 6, 2022

Describe the feature

When CDK automatically assumes a role (such as cdk-hnb659fds-deploy-role), currently it hard-codes the role session name to be "aws-cdk-<username>". This is not particularly useful for auditing when deployments are made via a CICD pipeline.

aws-cdk/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts

Line 348 in 400ad91

RoleSessionName: `aws-cdk-${safeUsername()}`,

Instead, it should allow specifying the role session name, either through a command line flag or through an environment variable.

Use Case

See above.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.28.0 (build ba233f0)

Environment details (OS name and version, etc.)

Alpine 3.16, Python 3.10.5
@rittneje rittneje added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jul 6, 2022
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jul 6, 2022
@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 7, 2022
@rix0rrr rix0rrr removed their assignment Jul 7, 2022
@daschaa
Copy link
Contributor

daschaa commented Jul 10, 2022

Does this has to be behind a feature flag?

@rittneje
Copy link
Author

@daschaa No, setting the environment variable or command line argument or whatever that specifies the custom role session name will suffice for the opt-in. If that is not set then it should continue to work the way it does today.

@daschaa
Copy link
Contributor

daschaa commented Jul 10, 2022
edited

@rittneje Yes that is true, we just have to make sure that the environment variable is not set in some CI/CD pipeline by mistake.

Do you have an idea how the environment variable could be named 🤔

@rittneje
Copy link
Author

@daschaa I think something simple like AWS_CDK_ROLE_SESSION_NAME should suffice. Barring that, it would even be good enough for our purposes for CDK to just reuse the role session name from the original credentials (assuming they are from a role assumption as opposed to an IAM user).

HamzaSayadi pushed a commit to HamzaSayadi/aws-cdk that referenced this issue Oct 24, 2022
feat(core): allow customizing role session name (aws#21012)
6c5f22a
HamzaSayadi added a commit to HamzaSayadi/aws-cdk that referenced this issue Oct 24, 2022
@HamzaSayadi
feat(core): allow customizing role session name (aws#21012)
fa2f84d
@HamzaSayadi HamzaSayadi mentioned this issue Oct 24, 2022
Closed
4 tasks
HamzaSayadi added a commit to HamzaSayadi/aws-cdk that referenced this issue Oct 24, 2022
@HamzaSayadi
feat(core): add AWS_CDK_ROLE_SESSION_NAME to the README.md file (aws#…
12e6734 
…21012)
HamzaSayadi added a commit to HamzaSayadi/aws-cdk that referenced this issue Oct 26, 2022
@HamzaSayadi
feat(core): fix linting issues (aws#21012)
b9080c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cli): allow customizing role session name (#21012) HamzaSayadi/aws-cdk
3 participants
@rix0rrr @rittneje @daschaa