aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Support Session Tags when assuming a Role

Open benbridts opened this issue 2 years ago • 7 comments

Is your feature request related to a problem? Please describe. Currently you can't use a named profile to assume a role, if you want to have session tags present on that role.

Describe the solution you'd like It would be great if I could use an environment variable (and config option) to also add session tags to an assume role:

AWS_SESSION_TAGS='ChangeTicket=CT-1234' AWS_DEFAULT_PROFILE='profile' aws sts get-caller-identity
# or
AWS_SESSION_TAGS='ChangeTicket=CT-1234' aws sts get-caller-identity --profile profile
# or
aws sts get-caller-identity --profile profile --cli-session-tags ChangeTicket=CT-1234 --profile profile

Describe alternatives you've considered Currently you can either do the STS call yourself as en external process (which is annoying), or use a third party tool (which might not be wanted)

benbridts avatar Feb 03 '22 19:02 benbridts

Hi @benbridts thanks for reaching out. For passing session tags using AssumeRole you can refer to this documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role

Is your request for something beyond that? Please let us know if there’s a distinction you want to make.

tim-finnigan avatar Feb 04 '22 15:02 tim-finnigan

Thanks, Tim

I'm looking for the CLI to do the assumeRole call for me.

For example, currently I might have a CLI config that's similar to this:

[profile iam-user]
output = json
region = eu-west-1
mfa_serial = arn:aws:iam::11111111111111:mfa/ben

[profile role]
output = json
region = eu-west-1
source_profile = iam-user
role_arn = arn:aws:iam::222222222222:role/role-name
mfa_serial =  arn:aws:iam::11111111111111:mfa/ben

When I call aws --profile role ..., the CLI will automatically do the STS call with the credentials stored in ~/.aws/credentials, and cache the session credentials of the role profile.

I want to do the same thing, but also having the CLI pass tags when it assumes the role.

eg. let's say I add this to the configuration file

[profile role-with-tag]
output = json
region = eu-west-1
source_profile = iam-user
role_arn = arn:aws:iam::222222222222:role/role-name
mfa_serial =  arn:aws:iam::11111111111111:mfa/ben
session_tags = SomeTag=SomeValue,OtherTag=OtherValue

I would like aws --profile role-with-tag to work, even if the Trust Policy of the role requires SomeTag to be present (so doing the assumeRole that happens behind the scenes with the Tags parameter filled).

This becomes extra powerful if I can specify the tags in an environment variable, as that would allow me to add more dynamic tags.

One use case here might be that I want to log some metadata about why I'm doing a bunch of commands in CloudTrail. If I'm using a ticketing system, I probably have a ticket number to refer to, so my terminal session could look like this:

# define which ticket I'm working on
export SESSION_TAGS="ChangeTicket=CT-1234"
# define which account/role I'm using
export AWS_DEFAULT_PROFILE='role-with-tag'
# from here the CLI will do an assumeRole with the session tags defined below
aws sts get-caller-identity
aws s3 sync ...

(There are also other use cases, where you might want to use the tag value in the IAM policy)

Hope this helps!

benbridts avatar Feb 04 '22 18:02 benbridts

Thanks @benbridts for expanding on your feature request and providing a use case! That helped me better understand the ask here. We will keep this issue open to get more input from the team/community and others can 👍 your original post to show their support.

tim-finnigan avatar Feb 04 '22 22:02 tim-finnigan

This is exactly what we're looking for as well and agreed on being able to set tags either in the profile config or as environment variables. In addition to using the AWS CLI, we would like to pass a profile name to the AWS terraform provider and have it assume a role with tags based on the profile configuration (of course there are other ways to configure the terraform provider with this behavior, but not ideal for our setup). Hope to see this feature soon!

ghost avatar Jun 22 '23 22:06 ghost

Can I also throw in "source identity" as well?

austintlee avatar Dec 06 '23 22:12 austintlee

This is a feature that I was expecting to be already implemented, what is the status today ?

dynnamitt avatar Mar 19 '24 09:03 dynnamitt

This is exactly what we're looking for as well and agreed on being able to set tags either in the profile config or as environment variables. In addition to using the AWS CLI, we would like to pass a profile name to the AWS terraform provider and have it assume a role with tags based on the profile configuration (of course there are other ways to configure the terraform provider with this behavior, but not ideal for our setup). Hope to see this feature soon!

Is supported in terraform btw

  • https://github.com/hashicorp/terraform-provider-aws/issues/10994
  • https://github.com/hashicorp/aws-sdk-go-base/issues/21

dynnamitt avatar Mar 19 '24 09:03 dynnamitt