How to set AWS Source Identity?

[vin]

Is your feature request related to a problem? Please describe.
We have multiple developers using the same role, and we'd like to be able to audit who performed actions using it.

Describe the solution you'd like
Support for the SourceIdentity attribute described here:
https://aws.amazon.com/blogs/security/how-to-integrate-aws-sts-sourceidentity-with-your-identity-provider/
So that the github username is made available to AWS STS as a SourceIdentity.

Describe alternatives you've considered
We've considered manually passing in the $GITHUB_USER in our scripts, but this requires separate logic for github codespaces vs running on a laptop ($GITHUB_USER vs $USER and/or $LOGNAME) and it requires scripts to remember to do it every time, leaving holes in our audit log if it's ever omitted.

Additional context
n/a

[cnuss]

Hey @vin!

Try this...

In your saml-to.yaml:

  aws:
      entityId: https://signin.aws.amazon.com/saml
      acsUrl: https://signin.aws.amazon.com/saml
      attributes:
        https://aws.amazon.com/SAML/Attributes/RoleSessionName: '...'
        https://aws.amazon.com/SAML/Attributes/SessionDuration: '...'
        https://aws.amazon.com/SAML/Attributes/Role: '...'
+       https://aws.amazon.com/SAML/Attributes/SourceIdentity: '<#= user.github.login #>'

Alternatively you can use things like:

• <#= user.github.email #>
• <#= user.github.firstName #>
• <#= user.github.lastName #>

Or you can build a string in https://aws.amazon.com/SAML/Attributes/SourceIdentity: that concatenates any string you like.

Here's a list of the substitutions available: https://docs.saml.to/configuration/reference/substitutions

[cnuss]

As an advanced example you wanted to include full information of what/who/where:

https://aws.amazon.com/SAML/Attributes/SourceIdentity: 'user:<#= user.github.login #>,repo:<#= repo.name #>,org:<#= system.organization #>'

to have user:cnuss,repo:my-repo,org:my-org show up in your STS logs.