From 6979c3ae332e4a2243d953ea77c06ef46ae8af28 Mon Sep 17 00:00:00 2001 From: Jason Hernandez <7144515+jasonhernandez@users.noreply.github.com> Date: Wed, 20 May 2026 09:44:03 -0700 Subject: [PATCH] ci(scratch-aws-access): tag AssumeRole sessions with --source-identity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The plugin currently calls AssumeRole with a fixed role-session-name `ci`, so CloudTrail can't attribute a session to a specific job — every CI run's session looks identical. Adding `--source-identity "$BUILDKITE_JOB_ID"` makes each session uniquely traceable in CloudTrail and lets us write role-trust conditions on `sts:RoleSessionName` / `sts:SourceIdentity` later. Coordination: requires the `mz-scratch-ci-role` trust policy in i2 to allow `sts:SetSourceIdentity` action. Without that, `aws sts assume-role --source-identity ...` fails with AccessDenied. The i2 PR adding that allowance must land first. Tracking: i2 SEC-573 / SEC-566 audit. Co-Authored-By: Claude Opus 4.7 (1M context) --- ci/plugins/scratch-aws-access/hooks/pre-command | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ci/plugins/scratch-aws-access/hooks/pre-command b/ci/plugins/scratch-aws-access/hooks/pre-command index e57579c370e99..86ffa597bcb5f 100644 --- a/ci/plugins/scratch-aws-access/hooks/pre-command +++ b/ci/plugins/scratch-aws-access/hooks/pre-command @@ -15,7 +15,13 @@ set -euo pipefail ci_unimportant_heading "Assuming scratch AWS role" -creds=$(aws sts assume-role --role-arn "$AWS_SCRATCH_ROLE_ARN" --duration-seconds 43200 --role-session-name ci) +# Tag the session with the Buildkite job ID so CloudTrail attributes the +# session to a specific build step. Falls back to a stable "unknown" so +# the call still succeeds outside Buildkite (local dev). AWS source-identity +# regex: [a-zA-Z0-9+=,.@_/-]+, max 64 chars; BUILDKITE_JOB_ID is a UUID. +source_identity="${BUILDKITE_JOB_ID:-unknown}" + +creds=$(aws sts assume-role --role-arn "$AWS_SCRATCH_ROLE_ARN" --duration-seconds 43200 --role-session-name ci --source-identity "$source_identity") AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' <<< "$creds") AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' <<< "$creds")