aws-cdk/aws-cognito-identitypool-alpha: allow session tagging #30919
Labels
@aws-cdk/aws-cognito-identitypool
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
Comments
lobanov
added
feature-request
|
Yes, adding |
pahud
added
p2
effort/medium
This was referenced Jul 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
Allow IAM roles created by Identity Pool CDK construct to tag sessions for federated identities.
Use Case
We are using a Cognito Identity Pool to assign AWS credentials for federated identities, and we need to tag sessions for the IAM policies to work. Unfortunately, it seems to be impossible to create Identity Pool and its authenticated role in such a way that it is allowed to tag sessions. The approach introduced in #15908 (calling
.withSessionTags()on the principal before passing it into the newly created IAM role) seemingly cannot be used with Identity Pool CDK construct, because the identity pool does not exist at the time authenticated role is created, and it looks impossible to change trust policy on the IAM role created by Identity Pool CDK construct itself.Proposed Solution
It would be great if there was a flag in the Identity Pool CDK construct allowing the authenticated role to tag created sessions. Probably all it needs to do is to call
.withSessionTags()on the identity pool principal when the role is being created.Other Information
As a workaround, we have to manually add
sts:TagSessionsaction to the trust policy of the authenticated role.Acknowledgements
CDK version used
2.130 (python)
Environment details (OS name and version, etc.)
Linux 6.6.30-0-virt 1-Alpine SMP aarch64 GNU/Linux
The text was updated successfully, but these errors were encountered: