feat(aws): Added AWS role session name parameter (#3234)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2026-02-10 06:45:08 +00:00 · 2024-01-08 13:49:13 +02:00
parent 9522d0c733
commit 558b7a54c7
9 changed files with 88 additions and 7 deletions
--- a/tests/lib/cli/parser_test.py
+++ b/tests/lib/cli/parser_test.py
@@ -5,7 +5,10 @@ import pytest
 from mock import patch

 from prowler.lib.cli.parser import ProwlerArgumentParser
-from prowler.providers.aws.lib.arguments.arguments import validate_bucket
+from prowler.providers.aws.lib.arguments.arguments import (
+    validate_bucket,
+    validate_role_session_name,
+)
 from prowler.providers.azure.lib.arguments.arguments import validate_azure_region

 prowler_command = "prowler"
@@ -1012,6 +1015,13 @@ class Test_Parser:
        parsed = self.parser.parse(command)
        assert parsed.sts_endpoint_region == sts_endpoint_region

+    def test_aws_parser_role_session_name(self):
+        argument = "--role-session-name"
+        role_session_name = "ProwlerAssessmentSession"
+        command = [prowler_command, argument, role_session_name]
+        parsed = self.parser.parse(command)
+        assert parsed.role_session_name == role_session_name
+
    def test_parser_azure_auth_sp(self):
        argument = "--sp-env-auth"
        command = [prowler_command, "azure", argument]
@@ -1164,3 +1174,25 @@ class Test_Parser:
        valid_bucket_names = ["bucket-name" "test" "test-test-test"]
        for bucket_name in valid_bucket_names:
            assert validate_bucket(bucket_name) == bucket_name
+
+    def test_validate_role_session_name_invalid_role_names(self):
+        bad_role_names = [
+            "role name",
+            "adasD*",
+            "test#",
+            "role-name?",
+        ]
+        for role_name in bad_role_names:
+            with pytest.raises(ArgumentTypeError) as argument_error:
+                validate_role_session_name(role_name)
+
+            assert argument_error.type == ArgumentTypeError
+            assert (
+                argument_error.value.args[0]
+                == "Role Session Name must be 2-64 characters long and consist only of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-"
+            )
+
+    def test_validate_role_session_name_valid_role_names(self):
+        valid_role_names = ["prowler-role" "test@" "test=test+test,."]
+        for role_name in valid_role_names:
+            assert validate_role_session_name(role_name) == role_name
--- a/tests/providers/aws/aws_provider_test.py
+++ b/tests/providers/aws/aws_provider_test.py
@@ -32,7 +32,7 @@ class Test_AWS_Provider:
    @mock_iam
    @mock_sts
    def test_aws_provider_user_without_mfa(self):
-        # sessionName = "ProwlerAsessmentSession"
+        # sessionName = "ProwlerAssessmentSession"
        # Boto 3 client to create our user
        iam_client = boto3.client("iam", region_name=AWS_REGION_US_EAST_1)
        # IAM user
@@ -56,6 +56,7 @@ class Test_AWS_Provider:
                session_duration=None,
                external_id=None,
                mfa_enabled=False,
+                role_session_name="ProwlerAssessmentSession",
            ),
            original_session=session,
        )
@@ -75,6 +76,7 @@ class Test_AWS_Provider:
                session_duration=None,
                external_id=None,
                mfa_enabled=False,
+                role_session_name="ProwlerAssessmentSession",
            )

    @mock_iam
@@ -103,6 +105,7 @@ class Test_AWS_Provider:
                session_duration=None,
                external_id=None,
                mfa_enabled=False,
+                role_session_name="ProwlerAssessmentSession",
            ),
            original_session=session,
            profile_region=AWS_REGION_US_EAST_1,
@@ -123,6 +126,7 @@ class Test_AWS_Provider:
                session_duration=None,
                external_id=None,
                mfa_enabled=False,
+                role_session_name="ProwlerAssessmentSession",
            )

    @mock_iam
@@ -132,7 +136,7 @@ class Test_AWS_Provider:
        role_name = "test-role"
        role_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:role/{role_name}"
        session_duration_seconds = 900
-        sessionName = "ProwlerAsessmentSession"
+        sessionName = "ProwlerAssessmentSession"

        # Boto 3 client to create our user
        iam_client = boto3.client("iam", region_name=AWS_REGION_US_EAST_1)
@@ -157,6 +161,7 @@ class Test_AWS_Provider:
                session_duration=session_duration_seconds,
                external_id=None,
                mfa_enabled=True,
+                role_session_name="ProwlerAssessmentSession",
            ),
            original_session=session,
            profile_region=AWS_REGION_US_EAST_1,
@@ -210,7 +215,7 @@ class Test_AWS_Provider:
        role_name = "test-role"
        role_arn = f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:role/{role_name}"
        session_duration_seconds = 900
-        sessionName = "ProwlerAsessmentSession"
+        sessionName = "ProwlerAssessmentSession"

        # Boto 3 client to create our user
        iam_client = boto3.client("iam", region_name=AWS_REGION_US_EAST_1)
@@ -235,6 +240,7 @@ class Test_AWS_Provider:
                session_duration=session_duration_seconds,
                external_id=None,
                mfa_enabled=False,
+                role_session_name="ProwlerAssessmentSession",
            ),
            original_session=session,
            profile_region=AWS_REGION_US_EAST_1,
@@ -282,7 +288,7 @@ class Test_AWS_Provider:
        session_duration_seconds = 900
        AWS_REGION_US_EAST_1 = AWS_REGION_EU_WEST_1
        sts_endpoint_region = AWS_REGION_US_EAST_1
-        sessionName = "ProwlerAsessmentSession"
+        sessionName = "ProwlerAssessmentSession"

        # Boto 3 client to create our user
        iam_client = boto3.client("iam", region_name=AWS_REGION_US_EAST_1)
@@ -307,6 +313,7 @@ class Test_AWS_Provider:
                session_duration=session_duration_seconds,
                external_id=None,
                mfa_enabled=False,
+                role_session_name="ProwlerAssessmentSession",
            ),
            original_session=session,
            profile_region=AWS_REGION_US_EAST_1,
--- a/tests/providers/common/audit_info_test.py
+++ b/tests/providers/common/audit_info_test.py
@@ -116,6 +116,7 @@ class Test_Set_Audit_Info:
                session_duration=None,
                external_id=None,
                mfa_enabled=None,
+                role_session_name="ProwlerAssessmentSession",
            ),
            audited_regions=["eu-west-2", "eu-west-1"],
            organizations_metadata=None,