gravitational · greedy52 · Aug 20, 2024 · Jul 30, 2024 · Aug 7, 2024 · Aug 12, 2024
diff --git a/api/proto/teleport/legacy/types/events/events.proto b/api/proto/teleport/legacy/types/events/events.proto
@@ -2745,6 +2745,13 @@ message AppSessionStart {
     (gogoproto.embed) = true,
     (gogoproto.jsontag) = ""
   ];
+
+  // AWS contains common AWS session information.
+  AWSSessionMetadata AWS = 9 [
-  AWSSessionMetadata AWS = 9 [
+  AWSMetadata AWS = 9 [
-  AWSSessionMetadata AWS = 9 [
+  AWSMetadata AWS = 9 [
+    (gogoproto.nullable) = false,
+    (gogoproto.embed) = true,
+    (gogoproto.jsontag) = ""
+  ];
 }
 
 // AppSessionEnd is emitted when an application session ends.
@@ -2874,6 +2881,13 @@ message AppSessionRequest {
   ];
 }
 
+// AWSSessionMetadata contains extra AWS metadata of an AWS session.
+message AWSSessionMetadata {
+  // AWSRoleSessionName is used to specify the username when assuming the AWS
+  // IAM role.
+  string AWSRoleSessionName = 1 [(gogoproto.jsontag) = "aws_role_session_name,omitempty"];
+}
+
 // AWSRequestMetadata contains extra AWS metadata of an AppSessionRequest.
 message AWSRequestMetadata {
   // AWSRegion is the requested AWS region.

diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx b/docs/pages/enroll-resources/application-access/cloud-apis/aws-console.mdx
@@ -668,6 +668,20 @@ username which you can search for to get the events history:
 
 ![CloudTrail](../../../../img/application-access/cloud-trail.png)
 
+When you access an AWS application in a remote cluster, the remote cluster will
+use the name `remote-<your-teleport-username>-<root-cluster-name>` for your
+federated session. This is to prevent any naming collisions with users in the
+remote cluster.
+
+<Admonition type="warning" title="Long Usernames">
+AWS imposes a 64-character limit on role session names. If a Teleport username
+exceeds this length, Teleport generates a hash and combines it with the
+original username to fit within the 64-character limit.
+</Admonition>
+
+You can also locate the federated username in the `aws_role_session_name` field
+within the "App Session Start" (`app.session.start`) audit event.
+
 ## Troubleshooting
 
 Read this section if you run into issues while following this guide.

diff --git a/lib/auth/sessions.go b/lib/auth/sessions.go
@@ -46,6 +46,7 @@ import (
 	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
+	awsutils "github.com/gravitational/teleport/lib/utils/aws"
 )
 
 // NewWebSessionRequest defines a request to create a new user
@@ -623,6 +624,12 @@ func (a *Server) CreateAppSessionFromReq(ctx context.Context, req NewAppSessionR
 			AppPublicAddr: req.PublicAddr,
 			AppName:       req.AppName,
 		},
+		AWSSessionMetadata: apievents.AWSSessionMetadata{
+			// Make an educated guess of the role session name. We have to
+			// guess here since this event is emitted on Auth instead of the
+			// App service that issues the actual AssumeRole call.
+			AWSRoleSessionName: guessAWSRoleSessionName(clusterName.GetClusterName(), req),
+		},
 	})
 	if err != nil {
 		log.WithError(err).Warn("Failed to emit app session start event")
@@ -792,3 +799,13 @@ func (a *Server) CreateSAMLIdPSession(ctx context.Context, req types.CreateSAMLI
 
 	return session, nil
 }
+
+// guessAWSRoleSessionName make an educated guess of the role session name.
+func guessAWSRoleSessionName(localClusterName string, req NewAppSessionRequest) string {
+	// App service uses the Teleport username as the RoleSessionName.
+	user := req.User
+	if req.ClusterName != "" && localClusterName != req.ClusterName {
+		user = services.UsernameForRemoteCluster(req.User, localClusterName)
+	}
+	return awsutils.MaybeHashRoleSessionName(user)
+}
diff --git a/lib/auth/sessions_test.go b/lib/auth/sessions_test.go
@@ -18,6 +18,7 @@ package auth
 
 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"
 
@@ -83,3 +84,35 @@ func TestServer_CreateWebSessionFromReq_deviceWebToken(t *testing.T) {
 		}
 	})
 }
+
+func Test_guessAWSRoleSessionName(t *testing.T) {
+	localClusterName := "teleport.abigcompany.com"
+
+	for _, tt := range []struct {
+		request  NewAppSessionRequest
+		expected string
+	}{
+		{
+			request: NewAppSessionRequest{
+				NewWebSessionRequest: NewWebSessionRequest{
+					User: "[email protected]",
+				},
+				ClusterName: "teleport.abigcompany.com",
+			},
+			expected: "[email protected]",
+		},
+		{
+			request: NewAppSessionRequest{
+				NewWebSessionRequest: NewWebSessionRequest{
+					User: "[email protected]",
+				},
+				ClusterName: "leaf.teleport.abigcompany.com",
+			},
+			expected: "remote-raimundo.oliveir-8fe1f87e599b043e6a0108338feee3f111e9c1e4",
+		},
+	} {
+		t.Run(fmt.Sprintf("%s@%s", tt.request.User, tt.request.ClusterName), func(t *testing.T) {
+			require.Equal(t, tt.expected, guessAWSRoleSessionName(localClusterName, tt.request))
+		})
+	}
+}
diff --git a/lib/srv/app/cloud.go b/lib/srv/app/cloud.go
@@ -191,7 +191,7 @@ func (c *cloud) getAWSSigninToken(ctx context.Context, req *AWSSigninRequest, en
 	options = append(options, func(creds *stscreds.AssumeRoleProvider) {
 		// Setting role session name to Teleport username will allow to
 		// associate CloudTrail events with the Teleport user.
-		creds.RoleSessionName = req.Identity.Username
+		creds.RoleSessionName = awsutils.MaybeHashRoleSessionName(req.Identity.Username)
 
 		// Setting web console session duration through AssumeRole call for AWS
 		// sessions with temporary credentials.

diff --git a/lib/utils/aws/aws.go b/lib/utils/aws/aws.go
@@ -21,7 +21,10 @@ package aws
 import (
 	"bytes"
 	"context"
+	"crypto/sha1"
+	"encoding/hex"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"net/textproto"
 	"sort"
@@ -33,7 +36,6 @@ import (
 	v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/gravitational/trace"
-	"github.com/sirupsen/logrus"
 
 	apievents "github.com/gravitational/teleport/api/types/events"
 	apiawsutils "github.com/gravitational/teleport/api/utils/aws"
@@ -68,6 +70,10 @@ const (
 	AmzJSON1_0 = "application/x-amz-json-1.0"
 	// AmzJSON1_1 is an AWS Content-Type header that indicates the media type is JSON.
 	AmzJSON1_1 = "application/x-amz-json-1.1"
+
+	// MaxRoleSessionName is the maximum length of the role session name used by the AssumeRole call.
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
+	MaxRoleSessionName = 64
-	MaxRoleSessionName = 64
+	MaxRoleSessionNameLength = 64
-	MaxRoleSessionName = 64
+	MaxRoleSessionNameLength = 64
 )
 
 // SigV4 contains parsed content of the AWS Authorization header.
@@ -249,7 +255,7 @@ func FilterAWSRoles(arns []string, accountID string) (result Roles) {
 	for _, roleARN := range arns {
 		parsed, err := ParseRoleARN(roleARN)
 		if err != nil {
-			logrus.Warnf("skipping invalid AWS role ARN: %v", err)
+			slog.WarnContext(context.Background(), "Skipping invalid AWS role ARN.", "error", err)
 			continue
 		}
 		if accountID != "" && parsed.AccountID != accountID {
@@ -484,3 +490,30 @@ func iamResourceARN(partition, accountID, resourceType, resourceName string) str
 		Resource:  fmt.Sprintf("%s/%s", resourceType, resourceName),
 	}.String()
 }
+
+// MaybeHashRoleSessionName truncates the role session name and adds a hash
+// when the original role session name is greater than AWS character limit
+// (64).
+func MaybeHashRoleSessionName(roleSessionName string) (ret string) {
+	if len(roleSessionName) <= MaxRoleSessionName {
+		return roleSessionName
+	}
+
+	hash := sha1.New()
+	hash.Write([]byte(roleSessionName))
+	hex := hex.EncodeToString(hash.Sum(nil))
+
+	// "1" for the delimiter.
+	keepPrefixIndex := MaxRoleSessionName - len(hex) - 1
+
+	if keepPrefixIndex < 0 {
+		// This should not happen since sha1 length and MaxRoleSessionName are
+		// both constant.
+		ret = hex[:MaxRoleSessionName]
+	} else {
+		ret = fmt.Sprintf("%s-%s", roleSessionName[:keepPrefixIndex], hex)
+	}
+
+	slog.DebugContext(context.Background(), "AWS role session name is too long. Using a hash instead.", "hashed", ret, "original", roleSessionName)
+	return ret
+}
diff --git a/lib/utils/aws/aws_test.go b/lib/utils/aws/aws_test.go
@@ -493,3 +493,33 @@ func TestResourceARN(t *testing.T) {
 		})
 	}
 }
+
+func TestMaybeHashRoleSessionName(t *testing.T) {
+	for _, tt := range []struct {
+		name     string
+		role     string
+		expected string
+	}{
+		{
+			name:     "role session name not hashed, less than 64 characters",
+			role:     "MyRole",
+			expected: "MyRole",
+		},
+		{
+			name:     "role session name not hashed, exactly 64 characters",
+			role:     "Role1234567890123456789012345678901234567890",
+			expected: "Role1234567890123456789012345678901234567890",
+		},
+		{
+			name:     "role session name hashed, longer than 64 characters",
+			role:     "remote-raimundo.oliveira@abigcompany.com-teleport.abigcompany.com",
+			expected: "remote-raimundo.oliveir-8fe1f87e599b043e6a0108338feee3f111e9c1e4",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := MaybeHashRoleSessionName(tt.role)
+			require.Equal(t, tt.expected, actual)
+			require.LessOrEqual(t, len(actual), MaxRoleSessionName)
+		})
+	}
+}
diff --git a/lib/utils/aws/credentials.go b/lib/utils/aws/credentials.go
@@ -74,7 +74,7 @@ func (g *credentialsGetter) Get(_ context.Context, request GetCredentialsRequest
 	logrus.Debugf("Creating STS session %q for %q.", request.SessionName, request.RoleARN)
 	return stscreds.NewCredentials(request.Provider, request.RoleARN,
 		func(cred *stscreds.AssumeRoleProvider) {
-			cred.RoleSessionName = request.SessionName
+			cred.RoleSessionName = MaybeHashRoleSessionName(request.SessionName)
 			cred.Expiry.SetExpiration(request.Expiry, 0)
 
 			if request.ExternalID != "" {