Skip to content

Commit

Permalink
fix(custom-resources): Role Session Name can exceed maximum size (aws…
Browse files Browse the repository at this point in the history 
…#16680)

The provider used the physical resource id and the epoch time as
the name of the assumed role session. Unfortunately, the maximum
length of these two fields combined can exceed the 64 character
limit on a role session name.

The role session name is not extremely important, it's purely
for human consumption. Nothing ensures that every assumed role
session has a unique role session name. For a unique identifier,
the session's access key identifier should be used instead.

This change caps the generate role session name at 64 characters
and moves the timestamp to the front, so that it is not the
portion of the name that is truncated.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html


```
2021-09-28T01:36:45.780Z	fc8f6e02-d746-441b-b07c-5e2b836087a0	INFO	Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'CredentialsError',
  time: 2021-09-28T01:36:45.659Z,
  requestId: '8aedc751-a552-449c-af2b-4566e3160d98',
  statusCode: 400,
  retryable: false,
  retryDelay: 38.712174099272744,
  originalError: {
    message: 'Could not load credentials from ChainableTemporaryCredentials',
    code: 'CredentialsError',
    time: 2021-09-28T01:36:45.659Z,
    requestId: '8aedc751-a552-449c-af2b-4566e3160d98',
    statusCode: 400,
    retryable: false,
    retryDelay: 38.712174099272744,
    originalError: {
      message: "1 validation error detected: Value 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-1632793004697' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64",
      code: 'ValidationError',
      time: 2021-09-28T01:36:45.657Z,
      requestId: '8aedc751-a552-449c-af2b-4566e3160d98',
      statusCode: 400,
      retryable: false,
      retryDelay: 38.712174099272744
    }
  }
}
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@AWS-MattB @TikiTDO
AWS-MattB authored and TikiTDO committed Feb 21, 2022
1 parent b16e0fe commit eab16a0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent

const params = {
RoleArn: call.assumedRoleArn,
RoleSessionName: `${physicalResourceId}-${timestamp}`,
RoleSessionName: `${timestamp}-${physicalResourceId}`.substring(0, 64),
};

AWS.config.credentials = new AWS.ChainableTemporaryCredentials({
Expand Down

0 comments on commit eab16a0

Please sign in to comment.