Add support for custom role session name

README.md

@@ -79,7 +79,7 @@ Signs a fixed strings: `"AWS Roles Anywhere Credential Helper Signing Test" || S
 
 ### credential-process
 
-Vends temporary credentials by sending a `CreateSession` request to the Roles Anywhere service. The request is signed by the private key whose path can be provided with the `--private-key` parameter. Currently, only plaintext private keys are supported. Other parameters include `--certificate` (the path to the end-entity certificate), `--role-arn` (the ARN of the role to obtain temporary credentials for), `--profile-arn` (the ARN of the profile that provides a mapping for the specified role), and `--trust-anchor-arn` (the ARN of the trust anchor used to authenticate). Optional parameters that can be used are `--debug` (to provide debugging output about the request sent), `--no-verify-ssl` (to skip verification of the SSL certificate on the endpoint called), `--intermediates` (the path to intermediate certificates), `--with-proxy` (to make the binary proxy aware), `--endpoint` (the endpoint to call), `--region` (the region to scope the request to), and `--session-duration` (the duration of the vended session). Instead of passing in paths to the plaintext private key on your file system, another option could be to use the [PKCS#11 integration](#pkcs11-integration) (using the `--pkcs11-pin` flag to locate objects in PKCS#11 tokens) or (depending on your OS) use the `--cert-selector` flag. More details about the `--cert-selector` flag can be found in [this section](#cert-selector-flag). 
+Vends temporary credentials by sending a `CreateSession` request to the Roles Anywhere service. The request is signed by the private key whose path can be provided with the `--private-key` parameter. Currently, only plaintext private keys are supported. Other parameters include `--certificate` (the path to the end-entity certificate), `--role-arn` (the ARN of the role to obtain temporary credentials for), `--profile-arn` (the ARN of the profile that provides a mapping for the specified role), and `--trust-anchor-arn` (the ARN of the trust anchor used to authenticate). Optional parameters that can be used are `--debug` (to provide debugging output about the request sent), `--no-verify-ssl` (to skip verification of the SSL certificate on the endpoint called), `--intermediates` (the path to intermediate certificates), `--with-proxy` (to make the binary proxy aware), `--endpoint` (the endpoint to call), `--region` (the region to scope the request to), `--session-duration` (the duration of the vended session), and `--role-session-name` (an identifier of the role session). Instead of passing in paths to the plaintext private key on your file system, another option could be to use the [PKCS#11 integration](#pkcs11-integration) (using the `--pkcs11-pin` flag to locate objects in PKCS#11 tokens) or (depending on your OS) use the `--cert-selector` flag. More details about the `--cert-selector` flag can be found in [this section](#cert-selector-flag). 
 
 Note that if more than one certificate matches the `--cert-selector` parameter within the OS-specific secure store, the `credential-process` command will fail. To find the list of certificates that match a given `--cert-selector` parameter, you can use the same flag with the `read-certificate-data` command.
 

aws_signing_helper/credentials.go

@@ -32,6 +32,7 @@ type CredentialsOpts struct {
 	Version             string
 	LibPkcs11           string
 	ReusePin            bool
+	RoleSessionName     string
 }
 
 // Function to create session and generate credentials
@@ -107,6 +108,9 @@ func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorith
 		RoleArn:            &opts.RoleArn,
 		SessionName:        nil,
 	}
+	if opts.RoleSessionName != "" {
+		createSessionRequest.RoleSessionName = &opts.RoleSessionName
+	}
 	output, err := rolesAnywhereClient.CreateSession(&createSessionRequest)
 	if err != nil {
 		return CredentialProcessOutput{}, err

cmd/credentials.go

@@ -22,6 +22,7 @@ var (
 	withProxy         bool
 	debug             bool
 	reusePin          bool
+	roleSessionName   string
 
 	certificateId       string
 	privateKeyId        string
@@ -72,6 +73,7 @@ func initCredentialsSubCommand(subCmd *cobra.Command) {
 	subCmd.PersistentFlags().BoolVar(&reusePin, "reuse-pin", false, "Use the CKU_USER PIN as the CKU_CONTEXT_SPECIFIC PIN for "+
 		"private key objects, when they are first used to sign. If the CKU_USER PIN doesn't work as the CKU_CONTEXT_SPECIFIC PIN "+
 		"for a given private key object, fall back to prompting the user")
+	subCmd.PersistentFlags().StringVar(&roleSessionName, "role-session-name", "", "An identifier of a role session")	
 
 	subCmd.MarkFlagsMutuallyExclusive("certificate", "cert-selector")
 	subCmd.MarkFlagsMutuallyExclusive("certificate", "system-store-name")
@@ -242,6 +244,7 @@ func PopulateCredentialsOptions() error {
 		Version:             Version,
 		LibPkcs11:           libPkcs11,
 		ReusePin:            reusePin,
+		RoleSessionName:     roleSessionName,
 	}
 
 	return nil