AWS Security ChangesHomeSearch

AWS rolesanywhere documentation change

Service: rolesanywhere · 2025-04-28 · Documentation low

File: rolesanywhere/latest/userguide/authentication-create-session.md

Summary

Added endpoint reference link, corrected X.509 formatting, and clarified role session name behavior

Security assessment

Changes include typo corrections (x509 → X.509), adding an endpoint reference link, and clarifying certificate serial number usage in session names. No evidence of addressing vulnerabilities or changing security controls. The documentation updates improve accuracy but don't introduce new security features or address specific vulnerabilities.

Diff

diff --git a/rolesanywhere/latest/userguide/authentication-create-session.md b/rolesanywhere/latest/userguide/authentication-create-session.md
index fee9f2a6f..14cd20dc0 100644
--- a//rolesanywhere/latest/userguide/authentication-create-session.md
+++ b//rolesanywhere/latest/userguide/authentication-create-session.md
@@ -9 +9 @@ Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse Elements
-The CreateSession API returns temporary security credentials for workloads that have been authenticated with IAM Roles Anywhere to access AWS resources.
+The CreateSession API returns temporary security credentials for workloads that have been authenticated with IAM Roles Anywhere to access AWS resources. For endpoints, see: [Roles Anywhere Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/rolesanywhere.html)
@@ -241 +241 @@ Required: Yes
-CreateSession is an x509 wrapper around [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). The temporary session credentials are delivered to RolesAnywhere by AssumeRole, and then passed on without modification in the result of CreateSession. CreateSession is not included in any SDK or client as there is not yet native SDK or client support for CreateSession's signing process. 
+CreateSession is an X.509 wrapper around [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). The temporary session credentials are delivered to RolesAnywhere by AssumeRole, and then passed on without modification in the result of CreateSession. CreateSession is not included in any SDK or client as there is not yet native SDK or client support for CreateSession's signing process. 
@@ -243 +243 @@ CreateSession is an x509 wrapper around [AssumeRole](https://docs.aws.amazon.com
-The `roleSessionName` option in the CreateSession request allows you to customize the identifier of a role session. The provided value will be passed into the AssumeRole request during the CreateSession process and will be incorporated into the ARN and ID of the [assumed role user](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumedRoleUser.html). This means that subsequent API requests using the temporary session credentials vended by CreateSession will expose the role session name to the corresponding account in their CloudTrail logs. Also, you can reference these credentials in a resource-based policy by the ARN or the ID. The default role session name, when not provided, is the serial number of the x509 certificate provided in a session request. 
+The `roleSessionName` option in the CreateSession request allows you to customize the identifier of a role session. The provided value will be passed into the AssumeRole request during the CreateSession process and will be incorporated into the ARN and ID of the [assumed role user](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumedRoleUser.html). This means that subsequent API requests using the temporary session credentials vended by CreateSession will expose the role session name to the corresponding account in their CloudTrail logs. Also, you can reference these credentials in a resource-based policy by the ARN or the ID. The default role session name, when not provided, is the serial number of the X.509 certificate provided in a session request. 
@@ -245 +245 @@ The `roleSessionName` option in the CreateSession request allows you to customiz
-The `acceptRoleSessionName` option on a profile controls whether or not a role session name will be accepted in a session request with this profile. By setting the `acceptRoleSessionName` option to `true`, you acknowledge that a role session name will be honored in a session request if the CreateSession call is made with this specific profile. This means that the default role session name, which is the serial number of the x509 certificate, will no longer be used and included in the ARN or ID of the assumed role user. 
+The `acceptRoleSessionName` option on a profile controls whether or not a role session name will be accepted in a session request with this profile. By setting the `acceptRoleSessionName` option to `true`, you acknowledge that a role session name will be honored in a session request if the CreateSession call is made with this specific profile. This means that the default role session name, which is the serial number of the X.509 certificate, will no longer be used and included in the ARN or ID of the assumed role user. 
@@ -247 +247 @@ The `acceptRoleSessionName` option on a profile controls whether or not a role s
-By default, the `acceptRoleSessionName` attached to the profile is `false`. If you provide a custom role session name in the CreateSession request but custom role session names are not accepted, you will receive an `Access Denied` error. However, when a role session name is not presented in the CreateSession request, the role session name will default to the serial number of the end-entity x509 certificate that was used to authenticate the request, even when the `acceptRoleSessionName` on the profile is `true`. 
+By default, the `acceptRoleSessionName` attached to the profile is `false`. If you provide a custom role session name in the CreateSession request but custom role session names are not accepted, you will receive an `Access Denied` error. However, when a role session name is not presented in the CreateSession request, the role session name will default to the serial number of the end-entity X.509 certificate that was used to authenticate the request, even when the `acceptRoleSessionName` on the profile is `true`.