Merge branch 'w/9.3/improvement/CLDSRV-893-return-arn-for-assumed-role-in-access-logs' into tmp/octopus/w/9.4/improvement/CLDSRV-893-return-arn-for-assumed-role-in-access-logs

bert-e · bert-e · commit c59fbb5ad453 · 2026-04-17T11:29:48.000Z
diff --git a/lib/utilities/serverAccessLogger.js b/lib/utilities/serverAccessLogger.js
@@ -324,11 +324,16 @@ function getOperation(req) {
     return `REST.${req.method}.${resourceType}`;
 }
 
+const assumedRoleArnRegex = /^arn:aws:sts::[0-9]{12}:assumed-role\/\S+$/;
+
 function getRequester(authInfo) {
     const requester = null;
     if (authInfo) {
+        const arn = authInfo.getArn ? authInfo.getArn() : null;
         if (authInfo.isRequesterPublicUser && authInfo.isRequesterPublicUser()) {
             return requester; // Unauthenticated requests
+        } else if (arn && assumedRoleArnRegex.test(arn)) {
+            return arn;
         } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) {
             // IAM user: include IAM user name and account
             const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : '';
diff --git a/tests/unit/utils/serverAccessLogger.js b/tests/unit/utils/serverAccessLogger.js
@@ -311,6 +311,31 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, 'canonicalID123');
         });
 
+        it('should return ARN for assumed-role session user', () => {
+            const arn = 'arn:aws:sts::123456789012:assumed-role/lifecycle-role/backbeat-lifecycle';
+            const authInfo = {
+                isRequesterPublicUser: () => false,
+                isRequesterAnIAMUser: () => false,
+                getArn: () => arn,
+                getCanonicalID: () => 'canonicalID789',
+            };
+            const result = getRequester(authInfo);
+            assert.strictEqual(result, arn);
+        });
+
+        it('should fall through to IAM user path for non-assumed-role ARN', () => {
+            const authInfo = {
+                isRequesterPublicUser: () => false,
+                isRequesterAnIAMUser: () => true,
+                getArn: () => 'arn:aws:iam::123456789012:user/myuser',
+                getIAMdisplayName: () => 'myuser',
+                getAccountDisplayName: () => 'myaccount',
+                getCanonicalID: () => 'canonicalID789',
+            };
+            const result = getRequester(authInfo);
+            assert.strictEqual(result, 'myuser:myaccount');
+        });
+
         it('should return canonical ID for regular user', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,
