Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the use case for RoleSessionName when assuming a role in AWS and how it affects the performance

I have a scenario in which I want to have access to resources within one account from another one in AWS (cross-account access) in code. And I want to implement this access using NodeJs, implemented as lambda function and also as a long-running code on EC2.

Reading how to do this online, I know I need temporary credentials generated by aws.STS, like this:

const AWS = require('aws-sdk');

const sts = new AWS.STS();
const stsResults = await sts.assumeRole({
    RoleArn: 'arn:aws:iam::111111111111:role/role_name',
    RoleSessionName: 'STRING_VALUE',
}).promise();

const dynamodb = new AWS.DynamoDB({
    region: 'us-east-1', 
    accessKeyId: stsResults.Credentials.AccessKeyId, 
    secretAccessKey:stsResults.Credentials.SecretAccessKey, 
    sessionToken: stsResults.Credentials.SessionToken
});

My question is about the RoleSessionName attribute which is a required one. I'm having a hard time understanding what it does and how I should use it. This is what the AWS documentation has to say about it:

RoleSessionName — (String) An identifier for the assumed role session.

Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their AWS CloudTrail logs.

The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-

Personally, I'm not concerned about security since both accounts are owned by the same company and the only reason to have multiple accounts is to logically separate resources. What I would like to know is the impact of this attribute on the performance of the assumeRole function call. Should I use the same RoleSessionName for all my lambda functions? Should I create a random ID each time I create a new session?

like image 486
Mehran Avatar asked Mar 22 '20 02:03

Mehran


People also ask

What is RoleSessionName in AWS?

The new sts:RoleSessionName condition gives you control of the role session name. With this control, when you view the AWS CloudTrail logs, you can now rely on the role session name for any of the following information: To identify the IAM principal or application that assumed an IAM role.

How do you assume an MFA role?

In order for a user to assume an IAM role with MFA there must be an MFA device linked with the user. You can do this via the IAM console on the Security credentials tab of a user's details, and using the Assigned MFA device field. Here you can assign an MFA device to a user.

How do you assume a role from another role in AWS?

You can switch roles from the AWS Management Console. You can assume a role by calling an AWS CLI or API operation or by using a custom URL. The method that you use determines who can assume the role and how long the role session can last.

How does STS assume role work?

The sts:AssumeRole action is the means by which such temporary credentials are obtained. To use it, a user or application calls this API using some already-obtained credentials, such as a user's fixed access key, and it returns (if permitted) a new set of credentials to act as the role.


1 Answers

As per the documentation you quoted:

Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons.

Let's say you have an IAM Role and it is assumed by a program. This will return a set of temporary credentials that can be used to access AWS services.

In an audit trail, anything done by the Role will be tracked as having been done by the Role (not by the entity that assumed the Role). This makes it difficult to trace back the source of these API calls, since the role could be assumed by "different principals or for different reasons". For example, multiple programs might use the role.

To assist in tracing the 'origin' of such requests, the RoleSessionName is provided to identify the particular assumption. It's there to help you identify which app is using the credentials.

like image 173
John Rotenstein Avatar answered Oct 08 '22 00:10

John Rotenstein