Skip to content

fix(credential_provider): Increase RoleSessionName truncation limit to preserve full UUIDs#205

Open
seeinyou wants to merge 1 commit intoaws-solutions-library-samples:mainfrom
seeinyou:fix/session-name-uuid-truncation
Open

fix(credential_provider): Increase RoleSessionName truncation limit to preserve full UUIDs#205
seeinyou wants to merge 1 commit intoaws-solutions-library-samples:mainfrom
seeinyou:fix/session-name-uuid-truncation

Conversation

@seeinyou
Copy link
Copy Markdown

@seeinyou seeinyou commented Apr 3, 2026

Summary

  • Increase RoleSessionName identifier truncation from 32 to 52 characters for both sub and email paths
  • Fixes UUID-based IdP user IDs being cut off in CloudTrail/CloudWatch identity fields
  • The 52-char limit (+ 12-char prefix = 64) matches the AWS RoleSessionName maximum

Test plan

  • Verify with a UUID-format sub claim (36 chars) that the full ID appears in the session name
  • Verify with a long email prefix (>32 chars) that truncation still works correctly
  • Confirm total RoleSessionName length does not exceed 64 characters

Closes #204

@seeinyou
fix(credential_provider): increase RoleSessionName truncation limit t…
faee755 
…o preserve full UUIDs

The sub claim was truncated to 32 characters, cutting off the last 4 characters
of standard UUIDs (36 chars). This made it impossible to correlate CloudTrail
and CloudWatch log entries back to specific IdP users.

Increase the limit from 32 to 52 characters (64-char AWS limit minus 12-char
"claude-code-" prefix) for both the sub and email fallback paths.

Closes aws-solutions-library-samples#204
@seeinyou seeinyou requested a review from a team as a code owner April 3, 2026 17:05
@wirjo wirjo mentioned this pull request Apr 7, 2026
Closed
@scouturier
Copy link
Copy Markdown
Contributor

scouturier commented Apr 7, 2026

LGTM

dineshSajwan
dineshSajwan reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dineshSajwan dineshSajwan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix, It looks all good to me. I think we should add a test coverage for these new limits .

  1. test case for RoleSessionName length
  2. test case for IdP sub claim length

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dineshSajwan dineshSajwan dineshSajwan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] External IdP user ID truncated in CloudTrail/CloudWatch identity field due to 32-char session name limit

3 participants

@seeinyou @scouturier @dineshSajwan