CLDSRV-893: Return ARN for assumed-role requesters in access logs

dvasilas · dvasilas · commit 6ac839203a9e · 2026-04-20T14:34:05.000+03:00
The getRequester() function fell through to the canonical ID for assumed-role sessions, producing a space-containing string that broke space-delimited log parsers. (cherry picked from commit 46a99ae)
diff --git a/lib/utilities/serverAccessLogger.js b/lib/utilities/serverAccessLogger.js
@@ -320,11 +320,16 @@ function getOperation(req) {
     return `REST.${req.method}.${resourceType}`;
 }
 
+const assumedRoleArnRegex = /^arn:aws:sts::[0-9]{12}:assumed-role\/\S+$/;
+
 function getRequester(authInfo) {
     const requester = null;
     if (authInfo) {
+        const arn = authInfo.getArn ? authInfo.getArn() : null;
         if (authInfo.isRequesterPublicUser && authInfo.isRequesterPublicUser()) {
             return requester; // Unauthenticated requests
+        } else if (arn && assumedRoleArnRegex.test(arn)) {
+            return arn;
         } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) {
             // IAM user: include IAM user name and account
             const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : '';
diff --git a/tests/unit/utils/serverAccessLogger.js b/tests/unit/utils/serverAccessLogger.js
@@ -293,6 +293,31 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, 'canonicalID123');
         });
 
+        it('should return ARN for assumed-role session user', () => {
+            const arn = 'arn:aws:sts::123456789012:assumed-role/lifecycle-role/backbeat-lifecycle';
+            const authInfo = {
+                isRequesterPublicUser: () => false,
+                isRequesterAnIAMUser: () => false,
+                getArn: () => arn,
+                getCanonicalID: () => 'canonicalID789',
+            };
+            const result = getRequester(authInfo);
+            assert.strictEqual(result, arn);
+        });
+
+        it('should fall through to IAM user path for non-assumed-role ARN', () => {
+            const authInfo = {
+                isRequesterPublicUser: () => false,
+                isRequesterAnIAMUser: () => true,
+                getArn: () => 'arn:aws:iam::123456789012:user/myuser',
+                getIAMdisplayName: () => 'myuser',
+                getAccountDisplayName: () => 'myaccount',
+                getCanonicalID: () => 'canonicalID789',
+            };
+            const result = getRequester(authInfo);
+            assert.strictEqual(result, 'myuser:myaccount');
+        });
+
         it('should return canonical ID for regular user', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,
