I have a scenario in which I want to have access to resources within one account from another one in AWS (cross-account access) in code. And I want to implement this access using NodeJs, implemented as lambda function and also as a long-running code on EC2.
Reading how to do this online, I know I need temporary credentials generated by aws.STS, like this:
const AWS = require('aws-sdk');
const sts = new AWS.STS();
const stsResults = await sts.assumeRole({
RoleArn: 'arn:aws:iam::111111111111:role/role_name',
RoleSessionName: 'STRING_VALUE',
}).promise();
const dynamodb = new AWS.DynamoDB({
region: 'us-east-1',
accessKeyId: stsResults.Credentials.AccessKeyId,
secretAccessKey:stsResults.Credentials.SecretAccessKey,
sessionToken: stsResults.Credentials.SessionToken
});
My question is about the RoleSessionName attribute which is a required one. I'm having a hard time understanding what it does and how I should use it. This is what the AWS documentation has to say about it:
RoleSessionName — (String) An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their AWS CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Personally, I'm not concerned about security since both accounts are owned by the same company and the only reason to have multiple accounts is to logically separate resources. What I would like to know is the impact of this attribute on the performance of the assumeRole function call. Should I use the same RoleSessionName for all my lambda functions? Should I create a random ID each time I create a new session?
As per the documentation you quoted:
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons.
Let's say you have an IAM Role and it is assumed by a program. This will return a set of temporary credentials that can be used to access AWS services.
In an audit trail, anything done by the Role will be tracked as having been done by the Role (not by the entity that assumed the Role). This makes it difficult to trace back the source of these API calls, since the role could be assumed by "different principals or for different reasons". For example, multiple programs might use the role.
To assist in tracing the 'origin' of such requests, the RoleSessionName is provided to identify the particular assumption. It's there to help you identify which app is using the credentials.