Merge remote-tracking branch 'origin/bugfix/CLDSRV-896-access-log-requester-arn-format' into w/9.3/bugfix/CLDSRV-896-access-log-requester-arn-format

dvasilas · dvasilas · commit 33e323f10d36 · 2026-04-17T16:35:58.000+03:00
# Conflicts:
#	package.json
diff --git a/lib/utilities/serverAccessLogger.js b/lib/utilities/serverAccessLogger.js
@@ -335,10 +335,10 @@ function getRequester(authInfo) {
         } else if (arn && assumedRoleArnRegex.test(arn)) {
             return arn;
         } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) {
-            // IAM user: include IAM user name and account
-            const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : '';
-            const accountName = authInfo.getAccountDisplayName ? authInfo.getAccountDisplayName() : '';
-            return iamUserName && accountName ? `${iamUserName}:${accountName}` : authInfo.getCanonicalID();
+            // IAM user: emit the IAM ARN (arn:aws:iam::<accountId>:user/<userName>)
+            // to match the AWS S3 server access log format. Fall back to the
+            // canonical ID if the ARN is unexpectedly absent.
+            return arn || authInfo.getCanonicalID();
         } else if (authInfo.getCanonicalID) {
             // Regular user: canonical user ID
             return authInfo.getCanonicalID();
diff --git a/tests/unit/utils/serverAccessLogger.js b/tests/unit/utils/serverAccessLogger.js
@@ -287,24 +287,23 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, null);
         });
 
-        it('should return IAM user name with account for IAM user', () => {
+        it('should return IAM ARN for IAM user', () => {
+            const arn = 'arn:aws:iam::123456789012:user/myuser';
             const authInfo = {
                 isRequesterPublicUser: () => false,
                 isRequesterAnIAMUser: () => true,
-                getIAMdisplayName: () => 'iamUser',
-                getAccountDisplayName: () => 'accountName',
+                getArn: () => arn,
                 getCanonicalID: () => 'canonicalID123',
             };
             const result = getRequester(authInfo);
-            assert.strictEqual(result, 'iamUser:accountName');
+            assert.strictEqual(result, arn);
         });
 
-        it('should return canonical ID for IAM user if display names are missing', () => {
+        it('should fall back to canonical ID for IAM user when ARN is missing', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,
                 isRequesterAnIAMUser: () => true,
-                getIAMdisplayName: () => '',
-                getAccountDisplayName: () => 'accountName',
+                getArn: () => undefined,
                 getCanonicalID: () => 'canonicalID123',
             };
             const result = getRequester(authInfo);
@@ -323,19 +322,6 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, arn);
         });
 
-        it('should fall through to IAM user path for non-assumed-role ARN', () => {
-            const authInfo = {
-                isRequesterPublicUser: () => false,
-                isRequesterAnIAMUser: () => true,
-                getArn: () => 'arn:aws:iam::123456789012:user/myuser',
-                getIAMdisplayName: () => 'myuser',
-                getAccountDisplayName: () => 'myaccount',
-                getCanonicalID: () => 'canonicalID789',
-            };
-            const result = getRequester(authInfo);
-            assert.strictEqual(result, 'myuser:myaccount');
-        });
-
         it('should return canonical ID for regular user', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,
