-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws codecommit create-pull-request console user incorrect when using a profile with delegated role via sts #8178
Comments
Hello @randybasrs - thank you for reaching out with very detailed submission. If I understand correctly, you're creating pull-requests with cross-account access and the behavior you're seeing is the incorrect author username on the PR. I attempted to reproduce it on my end but unfortunately I'm not seeing the same behavior. However, I found this community post titled "Commit has the wrong author" that I think might be relevant. Let me know if that's the same behavior. I'm also going to reach out to service team on your behalf to ask for their insights. Hope that helps! |
Apology for the delay, I had reached out to CodeCommit team to get their insight on the API and will report back once I hear back. (ref: V1439111126) |
Given the news that CodeCommit is being deprecated, I am closing this issue. Thanks for following up on it. It was still on my list to work with you as well, but I suppose we'll be moving to a different Git service now. Have a nice day! |
This issue is now closed. Comments on closed issues are hard for our team to see. |
Describe the bug
The author of a PR appears incorrect when using the following command: aws codecommit create-pull-request --title $title --description $description --targets repositoryName=$repositoryName,sourceReference=$branchName --profile $profileName
In this case we're calling this from PowerShell. This command does submit a PR but when we look at the GUI for codecommit it shows botocore-session-1234567890 where 1234567890 is the botocore session ID I guess. This may be technically correct due to how the account switching is done in the code but does not provide information in the AWS GUI as to who actually created the PR and will not allow us to use this method as part of our PR process. Being able to see that from the AWS gui is a requirement of our infosec team and since the GUI properly displays this information when submitting a PR it seems like perhaps a change that can be made in the CLI
Expected Behavior
When the same action is performed through the AWS console with the same user role the author shows properly as the username who submitted the PR. This is what I would expect from the CLI as well.
Current Behavior
There are no errors in the process, it works great and creates the PR but just does not have the proper authorship information to allow us to review it and use it in our process.
We use a home account to log users in and then switch role to a role with permissions to CodeCommit in a separate account so when running the command we use the --profile flag to provide the profile. The base user has MFA and so MFA is required but that part of the process also functions properly.
Reproduction Steps
Setup:
Create/use 2 accounts with a user in account A with a role in Account B with codecommit access to a repo you create
Create a repository in account B with data in the main branch.
Create 2 branches in that repository with a change for the 2 scenarios below:
GUI:
Log user into account A
Switch role to account B to a role with permissions to create a PR on the target repo from a branch to main. (Targets are irrelevant but this is how we are using it)
Navigate to the branch in code commit and create the PR filling out the title and the description with references to this being the GUI test for the PR process.
Look at the PR list after it has been submitted and you will see the proper username in the user column.
CLI:
Create a proper aws cli credentials file with 2 entries:
The base entry for the user with the MFA device in Account A
the second profile for Account B using the delegated role:
Ex:
[AccountA]
region = us-west-2
aws_access_key_id = accesskeyid
aws_secret_access_key = secretaccesskey
mfa_serial = arn:aws:iam::accountAID:mfa/username
[AccountB]
region = us-west-2
role_arn = arn:aws:iam::accountBID:role/CodeCommitRoleName
source_profile = AccountA
mfa_serial = arn:aws:iam::accountAID:mfa/username
Run the command in the description above to submit a PR using AccountB profile
Check the PR interface in the AWS console. You will see the username for this PR is botosession
Possible Solution
Handle role switching better to do the submission in the same way that the AWS console does
Additional Information/Context
We do not have access to AWS organizations in our environment. This should not be relevant but in this case the accounts are not part of an organization.
CLI version used
aws-cli/2.10.3 Python/3.9.11 Windows/10 exe/AMD64
Environment details (OS name and version, etc.)
Microsoft Windows 10 Enterprise: 10.0.19045 N/A Build 19045
The text was updated successfully, but these errors were encountered: