CLDSRV-896: Emit IAM ARN in access log Requester field for IAM users

When an IAM user makes a request, the Requester field in the bucket
server access log was emitted as userName:accountName. AWS emits an
ARN of the form arn:aws:iam::<accountId>:user/<userName>. Use the
IAM ARN that Vault already provides via authInfo to match the AWS S3
server access log format.

(cherry picked from commit fc18430)

Author: dvasilas

lib/utilities/serverAccessLogger.js

@@ -331,10 +331,10 @@ function getRequester(authInfo) {
         } else if (arn && assumedRoleArnRegex.test(arn)) {
             return arn;
         } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) {
-            // IAM user: include IAM user name and account
-            const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : '';
-            const accountName = authInfo.getAccountDisplayName ? authInfo.getAccountDisplayName() : '';
-            return iamUserName && accountName ? `${iamUserName}:${accountName}` : authInfo.getCanonicalID();
+            // IAM user: emit the IAM ARN (arn:aws:iam::<accountId>:user/<userName>)
+            // to match the AWS S3 server access log format. Fall back to the
+            // canonical ID if the ARN is unexpectedly absent.
+            return arn || authInfo.getCanonicalID();
         } else if (authInfo.getCanonicalID) {
             // Regular user: canonical user ID
             return authInfo.getCanonicalID();

tests/unit/utils/serverAccessLogger.js

@@ -269,24 +269,23 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, null);
         });
 
-        it('should return IAM user name with account for IAM user', () => {
+        it('should return IAM ARN for IAM user', () => {
+            const arn = 'arn:aws:iam::123456789012:user/myuser';
             const authInfo = {
                 isRequesterPublicUser: () => false,
                 isRequesterAnIAMUser: () => true,
-                getIAMdisplayName: () => 'iamUser',
-                getAccountDisplayName: () => 'accountName',
+                getArn: () => arn,
                 getCanonicalID: () => 'canonicalID123',
             };
             const result = getRequester(authInfo);
-            assert.strictEqual(result, 'iamUser:accountName');
+            assert.strictEqual(result, arn);
         });
 
-        it('should return canonical ID for IAM user if display names are missing', () => {
+        it('should fall back to canonical ID for IAM user when ARN is missing', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,
                 isRequesterAnIAMUser: () => true,
-                getIAMdisplayName: () => '',
-                getAccountDisplayName: () => 'accountName',
+                getArn: () => undefined,
                 getCanonicalID: () => 'canonicalID123',
             };
             const result = getRequester(authInfo);
@@ -305,19 +304,6 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, arn);
         });
 
-        it('should fall through to IAM user path for non-assumed-role ARN', () => {
-            const authInfo = {
-                isRequesterPublicUser: () => false,
-                isRequesterAnIAMUser: () => true,
-                getArn: () => 'arn:aws:iam::123456789012:user/myuser',
-                getIAMdisplayName: () => 'myuser',
-                getAccountDisplayName: () => 'myaccount',
-                getCanonicalID: () => 'canonicalID789',
-            };
-            const result = getRequester(authInfo);
-            assert.strictEqual(result, 'myuser:myaccount');
-        });
-
         it('should return canonical ID for regular user', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,