You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/integrations/cloud-providers/aws.md
+33Lines changed: 33 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -196,6 +196,39 @@ You will immediately see the stacks and modules that already have your label in
196
196
!!! info
197
197
You have to enable auto-attach on each integration individually to prevent clashes with previous labels in your account.
198
198
199
+
## Session tagging
200
+
201
+
You can enable session tagging to have Spacelift attach run and stack metadata as tags when assuming your IAM role. These tags show up in CloudTrail logs, providing additional context for auditing.
202
+
203
+
To use session tagging, enable the **Enable tag session** option when creating or editing your AWS integration. Your IAM role's trust policy will need to include both `sts:AssumeRole` and `sts:TagSession` permissions as separate statements:
204
+
205
+
```json
206
+
{
207
+
"Version": "2012-10-17",
208
+
"Statement": [
209
+
{
210
+
"Effect": "Allow",
211
+
"Principal": {
212
+
"AWS": "<spacelift-principal>"
213
+
},
214
+
"Action": "sts:TagSession"
215
+
},
216
+
{
217
+
"Effect": "Allow",
218
+
"Principal": {
219
+
"AWS": "<spacelift-principal>"
220
+
},
221
+
"Action": "sts:AssumeRole",
222
+
"Condition": {
223
+
"StringLike": {
224
+
"sts:ExternalId": "your-account@*"
225
+
}
226
+
}
227
+
}
228
+
]
229
+
}
230
+
```
231
+
199
232
## Are my credentials safe?
200
233
201
234
Assuming roles and generating credentials **on private worker** is perfectly safe. Those credentials are never leaked to us in any shape or form.
0 commit comments