fix(custom-resources): Role Session Name can exceed maximum size

The provider used the physical resource id and the epoch time as the name of the assumed role session. Unfortunately, the maximum length of these two fields combined can exceed the 64 character limit on a role session name. The role session name is not extremely important, it's purely for human consumption. Nothing ensures that every assumed role session has a unique role session name. For a unique identifier, the session's access key identifier should be used instead. This change caps the generate role session name at 64 characters and moves the timestamp to the front, so that it is not the portion of the name that is truncated.
aws · Sep 28, 2021 · bbc5620 · bbc5620
1 parent d21561a
commit bbc5620
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts b/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/runtime/index.ts
@@ -167,7 +167,7 @@ export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent
 
         const params = {
           RoleArn: call.assumedRoleArn,
-          RoleSessionName: `${physicalResourceId}-${timestamp}`,
+          RoleSessionName: `${timestamp}-${physicalResourceId}`.substring(0, 64),
         };
 
         AWS.config.credentials = new AWS.ChainableTemporaryCredentials({