-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding support for a custom RoleSessionName when assuming a role #1389
Conversation
This pull request was targeted for issue 1333. This being my first pull request on Github, I'm not aware of how to link this pull request to that issue. |
Thanks for the pull request, sorry for the delay. I think this looks great (thanks for adding tests), and would be a great feature addition to the CLI. I'm looking at this now. |
I found one problem with the current implementation. STS token is stored in cache directory using (account_id, role) as the key and So if the cached The purpose of |
@quiver, thanks for finding this. I agree that this is a problem, although a fairly minor one. Minor or not, of course it should be fixed. To be clear, the effect of this problem is that cached credentials will be used when they shouldn't be if the role_session_name is modified for a profile. The no-longer-matching cached credentials will be used from the time that the role_session_name is modified to the expiration time of the cached credentials. That is at most 1 hour. I agree that separating cache files based on (account_id, role, role_session_name) seems to be the fix. I can update the cache key to include the role_session_name, if present. Then this problem should be resolved. |
This reverts commit 3bacb03.
The proposed changes sound good to me. Thanks for catching @quiver . |
I've reverted a change on my branch that didn't have anything to do with this change. I was unaware that pull requests follow branches. I thought it just followed an exact commit. I've added a commit that adds the role_session_name into the cache key if it is present. None of the characters allowed in a role_session_name ([\w+=,.@-]*) seems like they should be a problem if they're in a file name. One problem is that the role_session_name is case sensitive so the cache file may present a problem on a case-insensitive file system. This will only be a problem if 1) a user has the cache file on a case-insensitive file system, and 2) they're changing the role_session_name such that only the case is different from the previous value, and 3) it has been less than an hour since the file was cached (because the expiration time for credentials is one hour). This is such a narrow case that I didn't think it required the effort to fix. |
Updated PR looks good to me. 👍
Agreed. Sorry for nit-picking. |
Rebased against develop and merged. Thanks again for the pull request! |
These changes allow a user to specify the "role_session_name" parameter in a role-based profile. The value of role_session_name is used as the RoleSessionName parameter in the STS AssumeRole call.