From eab16a0cbbe64d9789f3e71fc22b1517ad273e42 Mon Sep 17 00:00:00 2001
From: Matt Berry <maberry+github@amazon.com>
Date: Thu, 21 Oct 2021 14:50:27 -0700
Subject: [PATCH] fix(custom-resources): Role Session Name can exceed maximum
 size (#16680)

The provider used the physical resource id and the epoch time as
the name of the assumed role session. Unfortunately, the maximum
length of these two fields combined can exceed the 64 character
limit on a role session name.

The role session name is not extremely important, it's purely
for human consumption. Nothing ensures that every assumed role
session has a unique role session name. For a unique identifier,
the session's access key identifier should be used instead.

This change caps the generate role session name at 64 characters
and moves the timestamp to the front, so that it is not the
portion of the name that is truncated.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html


```
2021-09-28T01:36:45.780Z	fc8f6e02-d746-441b-b07c-5e2b836087a0	INFO	Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'CredentialsError',
  time: 2021-09-28T01:36:45.659Z,
  requestId: '8aedc751-a552-449c-af2b-4566e3160d98',
  statusCode: 400,
  retryable: false,
  retryDelay: 38.712174099272744,
  originalError: {
    message: 'Could not load credentials from ChainableTemporaryCredentials',
    code: 'CredentialsError',
    time: 2021-09-28T01:36:45.659Z,
    requestId: '8aedc751-a552-449c-af2b-4566e3160d98',
    statusCode: 400,
    retryable: false,
    retryDelay: 38.712174099272744,
    originalError: {
      message: "1 validation error detected: Value 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-1632793004697' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64",
      code: 'ValidationError',
      time: 2021-09-28T01:36:45.657Z,
      requestId: '8aedc751-a552-449c-af2b-4566e3160d98',
      statusCode: 400,
      retryable: false,
      retryDelay: 38.712174099272744
    }
  }
}
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../custom-resources/lib/aws-custom-resource/runtime/index.ts   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts b/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts
index 68156b6412958..a805fc8c2bf4d 100644
--- a/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts
+++ b/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts
@@ -167,7 +167,7 @@ export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent
 
         const params = {
           RoleArn: call.assumedRoleArn,
-          RoleSessionName: `${physicalResourceId}-${timestamp}`,
+          RoleSessionName: `${timestamp}-${physicalResourceId}`.substring(0, 64),
         };
 
         AWS.config.credentials = new AWS.ChainableTemporaryCredentials({