Truncate AssumeRole session name to API limits

[joaoubaldo]

The issue describes the problem in more detail but essentially Teleport does not have any role session name restriction when calling AWS AssumeRole API. This is causing an AWS API error to propagate to the client and prevents calling the AWS API through Teleport in some conditions (the issue is likely more frequent in trusted clusters configurations due to the way the role session name is computed).

This PR proposes a potential fix regarding the limitation above by truncating the role session name to match AWS AssumeRole API limits.

The error that is being propagated to the client is:

... roleSessionName - failed to satisfy constraint: Member must have length less than or equal to 64...

Issue #44833

[CLAassistant]

All committers have signed the CLA.

[greedy52]

@joaoubaldo 👏

Thanks for making the fix. I can even reproduce this with a local cluster but with a very long username.

The fix is reasonable. The only issue is you have to use shortened name when searching cloud trails. We will do some improvements separately from this PR:

• put a sts_session_name value in Teleport audit log for easier cross referencing
• update our AWS guide on cloud trail search for leaf cluster and long names

(You don't have to worry about these. We can do it afterwards.)

As for the fix itself, it fixes the AWS console, but tsh aws still fails for the same reason. Could you apply the same fix here?

teleport/lib/utils/aws/credentials.go

Lines 73 to 78 in 3685274

	func (g *credentialsGetter) Get(_ context.Context, request GetCredentialsRequest) (*credentials.Credentials, error) {
	logrus.Debugf("Creating STS session %q for %q.", request.SessionName, request.RoleARN)
	return stscreds.NewCredentials(request.Provider, request.RoleARN,
	func(cred *stscreds.AssumeRoleProvider) {
	cred.RoleSessionName = request.SessionName
	cred.Expiry.SetExpiration(request.Expiry, 0)

I will open a buddy PR once ready.

Thanks again for contributing!

[joaoubaldo]

@joaoubaldo 👏

Thanks for making the fix. I can even reproduce this with a local cluster but with a very long username.

The fix is reasonable. The only issue is you have to use shortened name when searching cloud trails. We will do some improvements separately from this PR:

• put a sts_session_name value in Teleport audit log for easier cross referencing
• update our AWS guide on cloud trail search for leaf cluster and long names

(You don't have to worry about these. We can do it afterwards.)

As for the fix itself, it fixes the AWS console, but tsh aws still fails for the same reason. Could you apply the same fix here?

teleport/lib/utils/aws/credentials.go

Lines 73 to 78 in 3685274

	func (g *credentialsGetter) Get(_ context.Context, request GetCredentialsRequest) (*credentials.Credentials, error) {
	logrus.Debugf("Creating STS session %q for %q.", request.SessionName, request.RoleARN)
	return stscreds.NewCredentials(request.Provider, request.RoleARN,
	func(cred *stscreds.AssumeRoleProvider) {
	cred.RoleSessionName = request.SessionName
	cred.Expiry.SetExpiration(request.Expiry, 0)

I will open a buddy PR once ready.

Thanks again for contributing!

@greedy52 thanks for checking. Your suggestion about applying the fix to tsh aws was already in place right?