feature/use-aws-user-id-sso: add in an option flag and env flag to op…

…tionally call fire GetCallerIdentity and remove the principle id from the user id returned and add that into the roll sessioname
common-fate · Sep 4, 2024 · 69752b1 · 69752b1
1 parent 264318d
commit 69752b1
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/pkg/assume/assume.go b/pkg/assume/assume.go
@@ -288,6 +288,7 @@ func AssumeCommand(c *cli.Context) error {
 		MFATokenCode: assumeFlags.String("mfa-token"),
 		Args:         assumeFlags.StringSlice("pass-through"),
 		DisableCache: assumeFlags.Bool("no-cache"),
+		UseUserId:    assumeFlags.Bool("use-user-id"),
 	}
 
 	// attempt to get session duration from profile

diff --git a/pkg/assume/entrypoint.go b/pkg/assume/entrypoint.go
@@ -56,6 +56,7 @@ func GlobalFlags() []cli.Flag {
 		&cli.BoolFlag{Name: "wait", Usage: "When using Granted with Common Fate the assume will halt while waiting for the access request to be approved."},
 		&cli.BoolFlag{Name: "no-cache", Usage: "Disables caching of session credentials and forces a refresh", EnvVars: []string{"GRANTED_NO_CACHE"}},
 		&cli.StringSliceFlag{Name: "browser-launch-template-arg", Usage: "Additional arguments to provide to the browser launch template command in key=value format, e.g. '--browser-launch-template-arg foo=bar"},
+		&cli.BoolFlag{Name: "use-user-id", Aliases: []string{"uu"}, Usage: "Whether to use the AWS user ID", DefaultText: "false" },
 	}
 }
 

diff --git a/pkg/cfaws/assumer_aws_sso.go b/pkg/cfaws/assumer_aws_sso.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -101,6 +102,7 @@ func (c *Profile) SSOLoginWithToken(ctx context.Context, cfg *aws.Config, access
 
 	if requiresAssuming {
 		// return creds, nil
+		useUserId := os.Getenv("GRANTED_USE_USER_ID") == "true"
 		toAssume := append([]*Profile{}, c.Parents[1:]...)
 		toAssume = append(toAssume, c)
 		for i, p := range toAssume {
@@ -114,6 +116,13 @@ func (c *Profile) SSOLoginWithToken(ctx context.Context, cfg *aws.Config, access
 				// all configuration goes in here for this profile
 				if p.AWSConfig.RoleSessionName != "" {
 					aro.RoleSessionName = p.AWSConfig.RoleSessionName
+				} else if configOpts.UseUserId || useUserId {
+					caller, err := stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
+					if err != nil {
+						return
+					}
+					userId := strings.Split(*caller.UserId, ":")[1]
+					aro.RoleSessionName = userId
 				} else {
 					aro.RoleSessionName = sessionName()
 				}

diff --git a/pkg/cfaws/profiles.go b/pkg/cfaws/profiles.go
@@ -27,6 +27,7 @@ type ConfigOpts struct {
 	ShouldRetryAssuming        *bool
 	MFATokenCode               string
 	DisableCache               bool
+	UseUserId                  bool
 }
 
 type Profile struct {