Skip to content

feat(aws): create config access logs for IAM assume role#1908

Merged
moshloop merged 3 commits intomainfrom
assume-role-cloudtrail
Feb 24, 2026
Merged

feat(aws): create config access logs for IAM assume role#1908
moshloop merged 3 commits intomainfrom
assume-role-cloudtrail

Conversation

@yashmehrotra
Copy link
Member

@yashmehrotra yashmehrotra commented Feb 23, 2026

Fixes: #1845

Summary by CodeRabbit

  • New Features

    • CloudTrail scraper now converts AssumeRole events into access-log entries for better tracing of assumed roles.
    • CloudTrail event data now captures Role ARN to improve role attribution.
  • Refactor

    • Streamlined event lookup and processing for more efficient handling.
  • Tests

    • Added tests covering AssumeRole-to-access-log conversion scenarios.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 23, 2026

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b1d55b and ba5d1ad.

📒 Files selected for processing (1)
  • scrapers/aws/cloudtrail.go

Walkthrough

Adds handling for AWS CloudTrail AssumeRole events: a new RequestParameters.RoleArn field, removal of default AssumeRole exclusion, a converter function that turns AssumeRole events into ExternalUser + ConfigAccessLog ScrapeResult, and corresponding tests.

Changes

Cohort / File(s) Summary
CloudTrail implementation
scrapers/aws/cloudtrail.go
Added RoleArn to CloudTrailEvent.RequestParameters. Removed default exclusion of AssumeRole. Added logic to route AssumeRole events to a new cloudtrailAssumeRoleToAccessLog converter that emits ExternalUser and ConfigAccessLog ScrapeResult; simplified event lookup initialization.
CloudTrail tests
scrapers/aws/cloudtrail_test.go
Added TestCloudTrailAssumeRoleToAccessLog covering IAMUser and AssumedRole chains: asserts ExternalUser fields, deterministic user ID from ARN, and ConfigAccessLog properties including ExternalID, ConfigType, ExternalUserID, and CreatedAt. Added test imports (time, hash, pq).

Sequence Diagram(s)

sequenceDiagram
  participant CloudTrail as CloudTrail (event source)
  participant Scraper as CloudTrail Scraper
  participant Converter as cloudtrailAssumeRoleToAccessLog
  participant Emitter as ScrapeResult Emitter

  CloudTrail->>Scraper: delivers event (AssumeRole)
  Scraper->>Converter: parse event, extract roleArn & userIdentity
  Converter->>Converter: determine actor ARN, build ExternalUser & ConfigAccessLog
  Converter-->>Scraper: return ScrapeResult
  Scraper->>Emitter: emit ExternalUser + ConfigAccessLog
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main feature: creating config access logs for IAM assume role events, which aligns with the code changes adding AssumeRole handling.
Linked Issues check ✅ Passed The PR implements the core requirement from #1845 by adding CloudTrail event handling for IAM role assumptions and generating config access logs with user and role information.
Out of Scope Changes check ✅ Passed All code changes are directly related to implementing IAM assume role handling and access log creation, with no unrelated modifications present.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch assume-role-cloudtrail

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@yashmehrotra yashmehrotra marked this pull request as ready for review February 23, 2026 20:10
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scrapers/aws/cloudtrail.go`:
- Around line 287-307: The switch handling userType can set userARN to empty
when AssumedRole lacks SessionContext.SessionIssuer; update the AssumedRole
branch in the switch (where userName/userARN are assigned from
ctEvent.UserIdentity.SessionContext.SessionIssuer) to first try
SessionIssuer.Arn and if empty fall back to ctEvent.UserIdentity.Arn, and after
the switch validate that userARN is non-empty before calling
hash.DeterministicUUID (return an error if still empty) so DeterministicUUID
never receives an empty alias; reference ctEvent.UserIdentity,
SessionContext.SessionIssuer, the userARN variable, and the call to
hash.DeterministicUUID/userID.

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1292dbf and 3b1d55b.

📒 Files selected for processing (2)
  • scrapers/aws/cloudtrail.go
  • scrapers/aws/cloudtrail_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@moshloop moshloop enabled auto-merge (squash) February 24, 2026 06:01
@moshloop moshloop merged commit 36f6d48 into main Feb 24, 2026
12 of 15 checks passed
@moshloop moshloop deleted the assume-role-cloudtrail branch February 24, 2026 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Config access logs on IAM Roles assumption

2 participants