0.19.0, add role session name

meeuw · Nov 15, 2022 · 3a98dae · 3a98dae
1 parent 68f8784
commit 3a98dae
Show file tree

Hide file tree

Showing 5 changed files with 608 additions and 152 deletions.
diff --git a/README.md b/README.md
@@ -49,26 +49,27 @@ Options:
   --secret-access-key TEXT
   --mfa-oath-slot TEXT            how the MFA slot is named, check using ykman
                                   oath code
-
   --mfa-serial-number TEXT        MFA serial number, see IAM console
   --mfa-session-duration INTEGER  duration in seconds, use zero to assume role
                                   without session
-
   --assume-session-duration INTEGER
                                   duration in seconds
   --assume-role-arn TEXT          IAM Role to be assumed, optional
   --assume-role-policy-arns TEXT  Assume role with policy ARN, can be used
                                   multiple times
-
   --assume-role-policy TEXT       Assume role with this policy, you can use a
                                   filename if this value starts with @
-
+  --assume-role-source-identity TEXT
+                                  The source identity specified by the
+                                  principal that is calling the AssumeRole
+                                  operation.
+  --assume-role-role-session-name TEXT
+                                  An identifier for the assumed role session.
   --force-renew-session
   --force-renew-assume-role
   --credentials-section TEXT      Use this section from ~/.aws/credentials
   --pin-entry TEXT                pin-entry helper, should be compatible with
                                   Assuan protocol (GPG)
-
   --log-file TEXT
   --config-section TEXT           Use this section in config-file
   --config-file TEXT

diff --git a/aws_credential_process.py b/aws_credential_process.py
@@ -29,7 +29,7 @@
 import pynentry
 import toml
 
-__version__ = "0.18.0"
+__version__ = "0.19.0"
 
 # Restore logger, set by ykman.cli.__main__ import
 logging.disable(logging.NOTSET)
@@ -207,6 +207,7 @@ def get_assume_session(
     policy_arns,
     policy,
     source_identity,
+    role_session_name,
     duration_seconds=None,
     serial_number=None,
     token_code=None,
@@ -237,6 +238,9 @@ def get_assume_session(
     if source_identity:
         request["SourceIdentity"] = source_identity
 
+    if role_session_name:
+        request["RoleSessionName"] = role_session_name
+
     if session is None:
         client = boto3.client(
             "sts",
@@ -268,6 +272,7 @@ def get_assume_session_cached(
     policy_arns,
     policy,
     source_identity,
+    role_session_name,
     duration_seconds,
     serial_number=None,
     token_code=None,
@@ -287,6 +292,7 @@ def get_assume_session_cached(
             policy_arns,
             policy,
             source_identity,
+            role_session_name,
             duration_seconds,
             serial_number,
             token_code,
@@ -346,6 +352,7 @@ def main(
     assume_role_policy_arns,
     assume_role_policy,
     assume_role_source_identity,
+    assume_role_role_session_name,
     force_renew_session,
     force_renew_assume_role,
     assume_session_duration,
@@ -457,6 +464,7 @@ def token_code():
                     assume_role_policy_arns,
                     assume_role_policy,
                     assume_role_source_identity,
+                    assume_role_role_session_name,
                     assume_session_duration,
                     mfa_serial_number,
                     token_code,
@@ -469,6 +477,7 @@ def token_code():
                     assume_role_policy_arns,
                     assume_role_policy,
                     assume_role_source_identity,
+                    assume_role_role_session_name,
                     assume_session_duration,
                 )
 
@@ -522,6 +531,10 @@ def token_code():
     "--assume-role-source-identity",
     help="The source identity specified by the principal that is calling the AssumeRole operation.",
 )
+@click.option(
+    "--assume-role-role-session-name",
+    help="An identifier for the assumed role session.",
+)
 @click.option("--force-renew-session", is_flag=True)
 @click.option("--force-renew-assume-role", is_flag=True)
 @click.option("--credentials-section", help="Use this section from ~/.aws/credentials")
@@ -546,6 +559,7 @@ def click_main(
     assume_role_policy_arns,
     assume_role_policy,
     assume_role_source_identity,
+    assume_role_role_session_name,
     force_renew_session,
     force_renew_assume_role,
     credentials_section,
@@ -605,6 +619,8 @@ def click_main(
         config["assume_role_policy"] = assume_role_policy
     if assume_role_source_identity:
         config["assume_role_source_identity"] = assume_role_source_identity
+    if assume_role_role_session_name:
+        config["assume_role_role_session_name"] = assume_role_role_session_name
     if output_format:
         config["output_format"] = output_format
 
@@ -625,6 +641,7 @@ def click_main(
         config.get("assume_role_policy_arns"),
         config.get("assume_role_policy"),
         config.get("assume_role_source_identity"),
+        config.get("assume_role_role_session_name"),
         config.get("force_renew_session", False),
         config.get("force_renew_assume_role", False),
         config.get("assume_session_duration"),