From c3a2d8e0fcfceda823b8070832f3d1d8c7882c05 Mon Sep 17 00:00:00 2001
From: Momo Kornher <kornherm@amazon.co.uk>
Date: Wed, 26 Feb 2025 21:49:22 +0000
Subject: [PATCH] chore(toolkit-lib): role duration and session tags don't work

---
 .github/workflows/release.yml           | 15 ++++++---------
 projenrc/adc-publishing.ts              |  3 +--
 projenrc/record-publishing-timestamp.ts |  4 +---
 projenrc/s3-docs-publishing.ts          |  8 ++++----
 4 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dd45848a..fc2f6632 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1002,9 +1002,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-duration-seconds: 14400
           role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}
-          role-session-name: releasing@aws-cdk-cli
+          role-session-name: standalone-release@aws-cdk-cli
           output-credentials: true
           mask-aws-account-id: true
       - name: Publish artifacts
@@ -1034,10 +1033,8 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-duration-seconds: 14400
           role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}
-          role-session-name: releasing@aws-cdk-cli
-          output-credentials: true
+          role-session-name: publish-timestamps@aws-cdk-cli
           mask-aws-account-id: true
       - name: Publish artifacts
         run: |-
@@ -1062,17 +1059,17 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-duration-seconds: 14400
           role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}
-          role-session-name: releasing@aws-cdk-cli
+          role-session-name: s3-docs-publishing@aws-cdk-cli
+          mask-aws-account-id: true
       - name: Assume the publishing role
         id: publishing-creds
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
-          role-duration-seconds: 14400
           role-to-assume: ${{ vars.PUBLISH_TOOLKIT_LIB_DOCS_ROLE_ARN }}
-          role-session-name: s3publishing@aws-cdk-cli
+          role-session-name: s3-docs-publishing@aws-cdk-cli
+          mask-aws-account-id: true
           role-chaining: true
       - name: Publish docs
         env:
diff --git a/projenrc/adc-publishing.ts b/projenrc/adc-publishing.ts
index 3b8de404..8b6b889b 100644
--- a/projenrc/adc-publishing.ts
+++ b/projenrc/adc-publishing.ts
@@ -58,9 +58,8 @@ export class AdcPublishing extends Component {
           uses: 'aws-actions/configure-aws-credentials@v4',
           with: {
             'aws-region': 'us-east-1',
-            'role-duration-seconds': 14400,
             'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}',
-            'role-session-name': 'releasing@aws-cdk-cli',
+            'role-session-name': 'standalone-release@aws-cdk-cli',
             'output-credentials': true,
             'mask-aws-account-id': true,
           },
diff --git a/projenrc/record-publishing-timestamp.ts b/projenrc/record-publishing-timestamp.ts
index 3c92c103..2e365a70 100644
--- a/projenrc/record-publishing-timestamp.ts
+++ b/projenrc/record-publishing-timestamp.ts
@@ -47,10 +47,8 @@ export class RecordPublishingTimestamp extends Component {
           uses: 'aws-actions/configure-aws-credentials@v4',
           with: {
             'aws-region': 'us-east-1',
-            'role-duration-seconds': 14400,
             'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}',
-            'role-session-name': 'releasing@aws-cdk-cli',
-            'output-credentials': true,
+            'role-session-name': 'publish-timestamps@aws-cdk-cli',
             'mask-aws-account-id': true,
           },
         },
diff --git a/projenrc/s3-docs-publishing.ts b/projenrc/s3-docs-publishing.ts
index d6755bbb..f8c23846 100644
--- a/projenrc/s3-docs-publishing.ts
+++ b/projenrc/s3-docs-publishing.ts
@@ -71,9 +71,9 @@ export class S3DocsPublishing extends Component {
           uses: 'aws-actions/configure-aws-credentials@v4',
           with: {
             'aws-region': 'us-east-1',
-            'role-duration-seconds': 14400,
             'role-to-assume': '${{ vars.AWS_ROLE_TO_ASSUME_FOR_ACCOUNT }}',
-            'role-session-name': 'releasing@aws-cdk-cli',
+            'role-session-name': 's3-docs-publishing@aws-cdk-cli',
+            'mask-aws-account-id': true,
           },
         },
         {
@@ -82,9 +82,9 @@ export class S3DocsPublishing extends Component {
           uses: 'aws-actions/configure-aws-credentials@v4',
           with: {
             'aws-region': 'us-east-1',
-            'role-duration-seconds': 14400,
             'role-to-assume': this.props.roleToAssume,
-            'role-session-name': 's3publishing@aws-cdk-cli',
+            'role-session-name': 's3-docs-publishing@aws-cdk-cli',
+            'mask-aws-account-id': true,
             'role-chaining': true,
           },
         },