TechQA.

Get real IAM username of the STS AssumeRole issuer

166 views Asked by At

I have been assuming an IAM role in the AWS account B using the IAM user credentials from the AWS Account A, and it works as expected. As part of the security and auditing purpose, I would like to get the real IAM username from the AWS account A, who accessed the services in the AWS account B, specifically the EC2 SessionManager console access.

When the Session Manager is accessed via AWS GUI Console, the CloudTrail has the original username in the userIdentity, but when accessed via AWS CLI, the username being logged as botocore-session-###########. The accessKeyId being generated randomly for the temporary STS session.

How to map this temporary accessKeyId in to the real IAM user?

Tried different versions of AWS CLI and different OSs. The IAM Role in account B has the Last activity information and way to revoke active sessions, but no information about the currently active sessions.

boto3 amazon-iam amazon-cloudtrail sts assume-role
Original Q&A
1

There are 1 answers

0
user3553031 On

Once you assume a Role and start using the new temporary credentials, you are no longer the principal that assumed the Role: you are a session principal. There is no way to directly find out who assumed the Role given only the session principal's ARN or key ID.

One option is to look in CloudTrail to see who assumed that role with that session session name. I'm not certain exactly what get logged; watch out for scenarios where two different principals assumed the same role using the same session name.

When you see the original principal's name in AWS Console, this isn't because Console has some magic way to look up that principal's identity from the role session; what happens is that Console uses the assumer's name as the session name. By default, you can specify whatever session name you want while assuming a Role. If you want to enforce some order, try using the permission policy condition key sts:RoleSessionName to require the caller to use a specific session name.

For instance, if your Role's trust policy contains the following (and no other statement that allows your users to assume the Role):

{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Principal": {
        "AWS": [
            "arn:aws:iam::123456789012:user/UserA",
            "arn:aws:iam::123456789012:user/UserB",
            "arn:aws:iam::123456789012:user/UserC",
            "arn:aws:iam::123456789012:user/UserD"
        ]
    },
    "Condition": {
        "StringLike": {
            "sts:RoleSessionName": "${aws:username}"
        }
    }
}

Then the named Users will be able to assume the Role only if they use their usernames as their session names.

Related Questions in BOTO3

Related Questions in AMAZON-IAM

Related Questions in AMAZON-CLOUDTRAIL

Related Questions in STS

Related Questions in ASSUME-ROLE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions