Skip to content

AWS CLI does not propagate session tags through profiles due to lack of TransitiveTagKeys support #8953

New issue
New issue
Open
Open
AWS CLI does not propagate session tags through profiles due to lack of TransitiveTagKeys support#8953
Labels
configurationfeature-requestA feature should be added or improved.p2This is a standard priority issue
@matpompili

Description

@matpompili
matpompili
opened on Oct 2, 2024

Describe the feature

Adding an option to the [profile ...] section of the config file, that allows the use of transitive tags during assume role chains.

[profile sso-user]
sso_session = my-sso-session
source_profile = sso-user-access
role_arn = arn:aws:iam::123456789012:role/SSOUserRole
region = us-east-1
transitive_tags = my_transitive_tag # <- new option

Use Case

When calling any command in the CLI with the --profile option, the CLI automatically runs an assume_role chain to get credentials for the target profile.

To enable the use of ABAC policies via the CLI, one needs to be able to specify what tags need to be carried through the assume role chain.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

aws-cli/2.17.24 Python

Environment details (OS name and version, etc.)

3.11.9 Darwin/22.6.0 source/arm64

Metadata

Metadata

Assignees

No one assigned

    Labels

    configurationfeature-requestA feature should be added or improved.p2This is a standard priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions