Role session name might be too long

[avishayil]

Describe the bug
I encountered some cases where the ConsoleMe user is long, and because of that the session name exceeds the 64 character limit, since it relies on the user name.

To Reproduce
Steps to reproduce the behavior:

1. Create a long username (I.E [email protected])
2. Try to create a new role using that username
3. Error will be encountered:

   Exception occurred cloning role: An error occurred (ValidationError) when calling the AssumeRole operation: 1 validation error detected: Value 'create_role_consoleme_admin@verylongsubdomainname.verylongdomainname.com' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64
   

From the aws.py lib:

    iam_client = await sync_to_async(boto3_cached_conn)(
        "iam",
        service_type="client",
        account_number=create_model.account_id,
        region=config.region,
        assume_role=config.get("policies.role_name"),
        session_name="create_role_" + username,
        retry_max_attempts=2,
    )

Expected behavior
A role will be created successfully as expected.

I suggest to find another mechanism, such as extracting the username from the domain, to decrease the chances of encountering such error.

[patricksanders]

Thanks for the report! This is an interesting scenario.

It looks like the issue is unrelated to the particular action (creating a role), but rather a problem with long user IDs for any AWS action that needs to be attributed to a particular user. Extracting the username from the email address isn't quite the right solution, since that can cause collisions or ambiguities in multi-domain environments. I wonder if we could make this configurable.

[castrapel]

PR submitted to address this: #9254