Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): session tagging #17689

Merged
merged 11 commits into from
Dec 16, 2021
Merged

feat(iam): session tagging #17689

merged 11 commits into from
Dec 16, 2021

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Nov 24, 2021

To allow session tagging, the sts:TagSession permission needs to
be added to the role's AssumeRolePolicyDocument.

Introduce a new principal which enables this, and add a convenience
method .withSessionTags() to the PrincipalBase class so all
built-in principals will have this convenience method by default.

To build this, we had to get rid of some cruft and assumptions around
policy documents and statements, and defer more power to the
IPrincipal objects themselves. In order not to break existing
implementors, introduce a new interface IAssumeRolePrincipal which
knows how to add itself to an AssumeRolePolicyDocument and gets complete
freedom doing so.

That same new interface could be used to lift some old limitations on
CompositePrincipal so did that as well.

Fixes #15908, closes #16725, fixes #2041, fixes #1578.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
feat(iam): enable session tagging
742538e 
To allow session tagging, the `sts:TagSession` permission needs to
be added to the role's AssumeRolePolicyDocument.

Introduce a new principal which enables this, and add a convenience
method `.withSessionTags()` to the `PrincipalBase` class so all
built-in principals will have this convenience method by default.

To build this, we had to get rid of some cruft and assumptions around
policy documents and statements, and defer more power to the
`IPrincipal` objects themselves. In order not to break existing
implementors, introduce a new interface `IAssumeRolePrincipal` which
knows how to add itself to an AssumeRolePolicyDocument and gets complete
freedom doing so.

That same new interface could be used to lift some old limitations on
`CompositePrincipal` so did that as well.

Fixes #15908, closes #16725, fixes #2041, fixes #1578.
@rix0rrr rix0rrr requested a review from a team November 24, 2021 17:17
@rix0rrr rix0rrr self-assigned this Nov 24, 2021
@gitpod-io
Copy link

gitpod-io bot commented Nov 24, 2021

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 24, 2021
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Nov 24, 2021
@rix0rrr rix0rrr mentioned this pull request Nov 24, 2021
Closed
@rix0rrr rix0rrr changed the title feat(iam): enable session tagging feat(iam): session tagging Nov 25, 2021
@mergify
Copy link
Contributor

mergify bot commented Nov 29, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 88c56c6
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 9f22b2f into master Dec 16, 2021
@mergify mergify bot deleted the huijbers/federated-tagging branch December 16, 2021 10:30
@mergify
Copy link
Contributor

mergify bot commented Dec 16, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Feb 21, 2022
@rix0rrr @TikiTDO
feat(iam): session tagging (aws#17689)
2b894b9 
To allow session tagging, the `sts:TagSession` permission needs to
be added to the role's AssumeRolePolicyDocument.

Introduce a new principal which enables this, and add a convenience
method `.withSessionTags()` to the `PrincipalBase` class so all
built-in principals will have this convenience method by default.

To build this, we had to get rid of some cruft and assumptions around
policy documents and statements, and defer more power to the
`IPrincipal` objects themselves. In order not to break existing
implementors, introduce a new interface `IAssumeRolePrincipal` which
knows how to add itself to an AssumeRolePolicyDocument and gets complete
freedom doing so.

That same new interface could be used to lift some old limitations on
`CompositePrincipal` so did that as well.

Fixes aws#15908, closes aws#16725, fixes aws#2041, fixes aws#1578.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@NGL321 NGL321 mentioned this pull request Mar 8, 2022
Closed
@atpollmann atpollmann mentioned this pull request Aug 29, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@otaviomacedo otaviomacedo otaviomacedo approved these changes

Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
3 participants
@rix0rrr @aws-cdk-automation @otaviomacedo