I am trying to store metadata into an STS "assume role" session so that I can retrieve it when the session user calls my service.
To accomplish this, I am setting a tag during the STS assumeRole creation:
AWSSecurityTokenService service = ...
AssumeRoleRequest request = new AssumeRoleRequest();
request.setTags(ImmutableList.of(new Tag().withKey("metadataKey").withValue("metadataValue")));
...
service.assumeRole(request);
In my backend service, I receive the username and ARN of the caller which corresponds to the temporary session. However, I am not able to lookup the details of the IAM user (which would contain the tags).
AmazonIdentityManagement iamClient = ...
GetUserRequest request = new GetUserRequest();
request.setUsername(...);
// this next line fails because the temporary user has a colon in the username
iamClient.getUser(request);
How would I retrieve the Tags of a temporary 'Assume Role user'?
This question is based on a misunderstanding of what Tags are used for. Tags are used to further ALLOW / DENY access to resources. They are not used as a canvas for storing metadata. This is supported by the AWS documentation:
Temporary session users cannot be looked up from an IAM ARN as there is no persistent data stored by AWS.
However, there is a workaround where you can store limited metadata using the "session name" field. AWS uses the session name in the ARN, so values can actually be stored as long as they are not sensitive information.
During the role creation:
Finally, the user ARN is in this format and can be read by another service