Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS CLI does not propagate session tags through profiles due to lack of TransitiveTagKeys support #8953

Open
2 tasks done
matpompili opened this issue Oct 2, 2024 · 3 comments
Labels
configuration feature-request A feature should be added or improved. p2 This is a standard priority issue

Comments

@matpompili
Copy link

matpompili commented Oct 2, 2024

Describe the feature

Adding an option to the [profile ...] section of the config file, that allows the use of transitive tags during assume role chains.

[profile sso-user]
sso_session = my-sso-session
source_profile = sso-user-access
role_arn = arn:aws:iam::123456789012:role/SSOUserRole
region = us-east-1
transitive_tags = my_transitive_tag # <- new option

Use Case

When calling any command in the CLI with the --profile option, the CLI automatically runs an assume_role chain to get credentials for the target profile.

To enable the use of ABAC policies via the CLI, one needs to be able to specify what tags need to be carried through the assume role chain.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

aws-cli/2.17.24 Python

Environment details (OS name and version, etc.)

3.11.9 Darwin/22.6.0 source/arm64

@matpompili matpompili added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 2, 2024
@matpompili
Copy link
Author

Somewhat connected to #6692, I think both features could be addressed by the same PR.

@tim-finnigan tim-finnigan self-assigned this Oct 2, 2024
@tim-finnigan
Copy link
Contributor

Thanks for reaching out. Requests for new config options/environment variables will need to be reviewed at a cross-SDK level since AWS SDKs, in addition to the CLI, use these configurations.

This does seem closely related to #6692 as you mentioned. We might want to consolidate these for tracking. Wouldn't adding a configuration option for session tags meet the use case described here? Linking some other related docs for reference:

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 This is a standard priority issue configuration and removed needs-triage This issue or PR still needs to be triaged. labels Oct 2, 2024
@matpompili
Copy link
Author

matpompili commented Oct 11, 2024

I am not sure setting a SessionTag only would work in my case, as I need to enable transitive tags for ${aws:PrincipalTag/user_group}, which is set using IdP information by the AssumeRoleWithWebIdentity, not directly by setting a tag value in the config file.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 11, 2024
@tim-finnigan tim-finnigan removed their assignment Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
configuration feature-request A feature should be added or improved. p2 This is a standard priority issue
Projects
None yet
Development

No branches or pull requests

2 participants