botocore icon indicating copy to clipboard operation
botocore copied to clipboard
verified publisher icon boto

Add support for specifying source identity when assuming roles with config files

Open vroad opened this issue 4 years ago • 4 comments

Is your feature request related to a problem? Please describe. When assuming roles with profiles specified in config file (~/.aws/config), source identity cannot be specified.

Describe the solution you'd like Source idenity is the new feature that added to STS in April, which allows you to easily identitfy who assumed IAM roles. Unlike role session names, it's preserved even after assuming other roles with role chaining.

https://aws.amazon.com/about-aws/whats-new/2021/04/aws-identity-and-access-management-now-makes-it-easier-to-relate-a-users-iam-role-activity-to-their-corporate-identity/

Most of time I use aws-vault. I already created a pull request for adding the feature, as aws-vault use their own config parser, not botocore's parser or AWS SDK for Go's parser.

https://github.com/99designs/aws-vault/pull/807

I still sometimes need to rely on AWS CLI for assuming roles, so it would be great if AWS CLI support it as well. I created the issue in this repo because configuration parser is implemented in botocore.

vroad avatar Sep 16 '21 01:09 vroad

Hi @vroad,

Thanks for the feature request! You may already be aware, but you are able to use the --source-identity parameter in a assume-role call in the CLI, but we'll take note of the config file feature request. Because the majority of AWS SDKs use the config file and this is functionality that, if implemented, we would like to make available across all AWS SDKs, I've created new issue to track this in our shared-sdk repository and will be escalating this internally. I'll let you know when I have an update!

stobrien89 avatar Sep 16 '21 18:09 stobrien89

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Sep 16 '21 18:09 github-actions[bot]

FYI the related core-sdk issue (https://github.com/aws/aws-sdk/issues/124) has been closed, so is this the primary issue to track this change? It would be useful functionality to have!

pgpx avatar Nov 24 '25 16:11 pgpx

FYI the related core-sdk issue (aws/aws-sdk#124) has been closed, so is this the primary issue to track this change? It would be useful functionality to have!

Yes, the whole aws-sdk repository was closed, and this feature request is now tracked in this issue.

RyanFitzSimmonsAK avatar Nov 25 '25 20:11 RyanFitzSimmonsAK