Feature Request - AWS Secret Backend: Add RoleSessionName support to STS #2615
Comments
|
While this issue is to support a The problem I have with the current And because searching CloudTrail logs by username does not allow for globs or partial matching it means that the CloudTrail logs must be downloaded and post-processed. One suggestion to help improve tracing between Vault audit logs and CloudTrail logs would be to include the |
|
I think the original request for this feature could be resolved by this PR ? #11345 |
|
Fixed by #11345 |
Hey,
Looking at the documentation of "Generating IAM with STS", which is intended to assume roles (whether local/cross-account), I noticed that there's no way to assign this assumed role a custom "Session Name".
This is possible when using the AWS API directly using the RoleSessionName Identifier.
Will it be possible to add a parameter "session_name" to the payload of the API request to Vault, so the assume-role operation will include it?
This would be very helpful when the same role is assumed multiple times by different users in our system, and will allow to inspect user actions via CloudTrail.
In my case, my system will need to assume a role in another AWS account multiple time (one time per user in my system), and i would like to know which user performed a certain operation on the target AWS account (using CloudTrail).
Thanks,
Yakir.
The text was updated successfully, but these errors were encountered: