Support Session Tags when assuming a Role #6692
Comments
benbridts
added
feature-request
|
Hi @benbridts thanks for reaching out. For passing session tags using AssumeRole you can refer to this documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role Is your request for something beyond that? Please let us know if there’s a distinction you want to make. |
tim-finnigan
added
sts
response-requested
|
Thanks, Tim I'm looking for the CLI to do the assumeRole call for me. For example, currently I might have a CLI config that's similar to this: [profile iam-user]
output = json
region = eu-west-1
mfa_serial = arn:aws:iam::11111111111111:mfa/ben
[profile role]
output = json
region = eu-west-1
source_profile = iam-user
role_arn = arn:aws:iam::222222222222:role/role-name
mfa_serial = arn:aws:iam::11111111111111:mfa/benWhen I call I want to do the same thing, but also having the CLI pass tags when it assumes the role. eg. let's say I add this to the configuration file [profile role-with-tag]
output = json
region = eu-west-1
source_profile = iam-user
role_arn = arn:aws:iam::222222222222:role/role-name
mfa_serial = arn:aws:iam::11111111111111:mfa/ben
session_tags = SomeTag=SomeValue,OtherTag=OtherValueI would like This becomes extra powerful if I can specify the tags in an environment variable, as that would allow me to add more dynamic tags. One use case here might be that I want to log some metadata about why I'm doing a bunch of commands in CloudTrail. # define which ticket I'm working on
export SESSION_TAGS="ChangeTicket=CT-1234"
# define which account/role I'm using
export AWS_DEFAULT_PROFILE='role-with-tag'
# from here the CLI will do an assumeRole with the session tags defined below
aws sts get-caller-identity
aws s3 sync ...(There are also other use cases, where you might want to use the tag value in the IAM policy) Hope this helps! |
github-actions
bot
removed
the
response-requested
|
Thanks @benbridts for expanding on your feature request and providing a use case! That helped me better understand the ask here. We will keep this issue open to get more input from the team/community and others can 👍 your original post to show their support. |
|
This is exactly what we're looking for as well and agreed on being able to set tags either in the profile config or as environment variables. In addition to using the AWS CLI, we would like to pass a profile name to the AWS terraform provider and have it assume a role with tags based on the profile configuration (of course there are other ways to configure the terraform provider with this behavior, but not ideal for our setup). Hope to see this feature soon! |
|
Can I also throw in "source identity" as well? |
|
This is a feature that I was expecting to be already implemented, what is the status today ? |
Is supported in terraform btw |
Is your feature request related to a problem? Please describe.
Currently you can't use a named profile to assume a role, if you want to have session tags present on that role.
Describe the solution you'd like
It would be great if I could use an environment variable (and config option) to also add session tags to an assume role:
Describe alternatives you've considered
Currently you can either do the STS call yourself as en external process (which is annoying), or use a third party tool (which might not be wanted)
The text was updated successfully, but these errors were encountered: