From 02892e2323747f9444d666b6100d74c685b0815c Mon Sep 17 00:00:00 2001
From: Sumu <sumughan@amazon.com>
Date: Sat, 24 Aug 2024 17:49:54 -0400
Subject: [PATCH] add session tags to assumeRole function

Signed-off-by: Sumu <sumughan@amazon.com>
---
 lib/aws.ts | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/aws.ts b/lib/aws.ts
index cd66123..ff48951 100644
--- a/lib/aws.ts
+++ b/lib/aws.ts
@@ -119,7 +119,8 @@ export class DefaultAwsClient implements IAws {
       credentials = await this.assumeRole(
         options.region,
         options.assumeRoleArn,
-        options.assumeRoleExternalId
+        options.assumeRoleExternalId,
+        options.assumeRoleSessionTags
       );
     }
 
@@ -141,13 +142,23 @@ export class DefaultAwsClient implements IAws {
   private async assumeRole(
     region: string | undefined,
     roleArn: string,
-    externalId?: string
+    externalId?: string,
+    sessionTags?: { [key: string]: string }
   ): Promise<AWS.Credentials> {
+    const parsedTags = sessionTags
+      ? Object.entries(sessionTags).map(([key, value]) => ({
+          Key: key,
+          Value: value,
+        }))
+      : [];
+
     return new this.AWS.ChainableTemporaryCredentials({
       params: {
         RoleArn: roleArn,
         ExternalId: externalId,
         RoleSessionName: `cdk-assets-${safeUsername()}`,
+        Tags: parsedTags,
+        TransitiveTagKeys: sessionTags ? Object.keys(sessionTags) : [],
       },
       stsConfig: {
         region,