How to require users to set their role_session_name with scp

Question

Using scp, I would like to require role_session_name to users who assume roles in my organization accounts when running terraform template. The role_session_name value need to be equals to their iam username. I have attached below scp in my organization

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "sts:AssumeRole",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "sts:RoleSessionName": [
            "${aws:username}"
          ]
        }
      }
    }
  ]
}

Below the ~/.aws/config file content

[profile my_profile]
region = us-west-3
role_arn = arn:aws:iam:ACOUNT_ID:role/role_name
output = json

below provider section of terraform template

provider "aws" {
  shared_credentials = "~/.aws/credentials"
  region  = "eu-west-3"
  profile = "my_profile"
}

Without specifying role_session_name = my_aws_user_name` inside the config file, I am able to run the template without being blocked by the scp.

How to achieve this please ?

Thanks

Register Sole · Answer 1 · 2022-03-23T09:35:56.770

2

EDIT

I finally setup an AWS organization to test. The SCP as you now have is working fine. Role is in account A. SCP attached to account B:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "sts:AssumeRole",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "sts:RoleSessionName": [
            "${aws:username}"
          ]
        }
      }
    }
  ]
}

Using a user in account B, I tried to assume a Role in Account A using a random session name. Got access denied.

>aws sts assume-role --profile accountB --role-arn arn:aws:iam::<account-A>:role/<rolename> --role-session-name abc

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<account-B>:user/<username> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account-A>:role/<rolename>

But when I use a session name that is same as my username, I am able to.

>aws sts assume-role --profile accountB --role-arn arn:aws:iam::<account-A>:role/<rolename> --role-session-name username

{
    "Credentials": {
        "AccessKeyId": "xxx",
        "SecretAccessKey": "xxx",
        "SessionToken": "xxx",
        "Expiration": "2022-03-23T10:31:52Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "xxx:username",
        "Arn": "arn:aws:sts::xxx:assumed-role/xxx/yyy"
    }
}

edited Mar 23 '22 at 09:35

answered Mar 23 '22 at 08:38

Register Sole

3,206
1
14
22

Thank you @Register Sole for your answer but even after changing `StringEquals` to `StringLike` . I still can assume role and create resources without setting `role_session_name` – Jean-Pascal MEWENEMESSE Mar 23 '22 at 08:44
@Jean-PascalMEWENEMESSE I see.. Unfortunately I don't have a setup to test. If you remove the `aws:PrincipalArn` condition altogether, can you confirm if this time it works? It would block most requests, but at least this is to verify the other condition is working. If it works, I think it is better to specify the action `sts:AssumeRole` to limit the deny to only Assume Role requests. – Register Sole Mar 23 '22 at 08:50
If I remove the `aws:PrincipalArn` condition, it will sur block. But it also block iam users with management console access. I only want programmically users who make assume role api call. To avoid that, I added `sts:AssumeRole` action but still, it pass without `role_session_name` – Jean-Pascal MEWENEMESSE Mar 23 '22 at 08:56
Just checking, you attach this policy to the account where the users are, right? Not the account where the roles are. – Register Sole Mar 23 '22 at 09:27
@Jean-PascalMEWENEMESSE Anyway I edited the answer. The policy that you now have in the question works. The only thing I can think of is ensure you attach it to the account where the users are. See my answer for working example. – Register Sole Mar 23 '22 at 09:37
Thank you for your response. I really appreciate @Register Sole . You are right your answer is correct regarding the previous description of the problem. I have edited the question to be more specific about my issue and add additional details. Thank a lot – Jean-Pascal MEWENEMESSE Mar 23 '22 at 10:36
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/243233/discussion-between-jean-pascal-mewenemesse-and-register-sole). – Jean-Pascal MEWENEMESSE Mar 23 '22 at 12:31
@Jean-PascalMEWENEMESSE Yup better to chat. I don't see you in the chat room though, not sure if you get the message. – Register Sole Mar 24 '22 at 07:38

score 0 · Answer 2 · answered Jun 30 '22 at 02:00

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam:::user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/T this issue is your profile account doesnt has permission attach policy for other account, so I give the IAM full access of role then run fine.

How to require users to set their role_session_name with scp

2 Answers2

EDIT