By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Problem with providing right "sts:RoleSessionName" while assuming IAM role using another assumed role access keys (role-chaining scenario)

0

Hi,

Im trying to do the role-chaining, but with proper audit of user access, to make it more "individualistic".

I found this article - https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/ , it describes how to create an IAM policy, that will enforce user to provide its own username as sts:RoleSessionName, and it is working for assuming an IAM role using IAM users access keys. But if i have the same policy, and im trying to assume an IAM Role using another IAM role session access keys, what should be provided as sts:RoleSessionName in this case? I have tried to provide the username of the IAM user that have assumed the first Role, i have tried to provide the name of the first IAM role using which user is trying to assume second IAM role, but no luck.

Thanks

  • D G
    a year ago

    @Joann Babak did my answer work for you ? Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
Joann Babak
asked a year ago931 views
1 Answer
0

If I am reading this correctly, you should be able to set the role session name to whatever you want it to be (providing that you haven't built conditionals within the trust.

Try using whatever you want, also I am a big fan of using AWSume which makes setting role chaining easier IMHO. Give it a try. Getting your trust and policy statements to work are essential so that as you assume one role to the next the role assumed is included as being "ok" to assume another.

profile picture
D G
answered a year ago
  • Joann Babak
    a year ago

    The problem is that, if i attach policy (which can be found on the link i have shared in the question) to the role "A" im not able to provide everything in the "session name" (and i dont want it to be like that), so im trying to understand what it expects in this case. Im trying to force user to provide its username as session name for trailing purposes, and the policy works in case of IAM user - IAM role connection, but not in the IAM role - IAM role. Thought i havent looked into the AWSume, will do, thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content