AWS assumed role - RoleSessionName is not working consistently.

Question

AWS assumed role - RoleSessionName is not working consistently.

Divya Mohan P 20

The role session name "sts:RoleSessionName": "MicrosoftSentinel_{WORKSPACE_ID)" or
MicrosoftDefenderForClouds__{WORKSPACE_ID) is not working consitently

step 4 in here : https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3#create-an-open-id-connect-oidc-web-identity-provider-and-an-aws-assumed-role

https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors

Anonymous

2025-04-09T10:20:18.17+00:00

Hello @Divya Mohan P, The issue with the inconsistent RoleSessionName in AWS occurs due to incorrect formatting, such as mismatched braces or invalid characters. Ensure the RoleSessionName follows the correct format, like MicrosoftSentinel_{WORKSPACE_ID}, and verify the IAM role's trust policy allows the assumed role using OIDC with the correct session name.
Pauline Mbabu 1,835 Reputation points Microsoft Employee

2025-04-09T13:16:47.2933333+00:00

Hello @Divya Mohan P ,
I am checking internally on this with the relevant team. I will get back
Anonymous

2025-04-10T05:43:12.9866667+00:00

@Divya Mohan P, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Divya Mohan P 20 Reputation points

2025-04-10T06:26:17.0033333+00:00

hi
Thanks for your reply.

It's working for last two days with role MicrosoftSentinel_ . Which was set earlier
I changed it to another role MicrosoftDefenderForClouds_ according to https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors

and that worked for one day and then stopped working so I reverted it back to MicrosoftSentinel_

So is it possible to confirm which role needs to be used.

I have raised PR for updating the code and documentation.

Thanks,
Divya
Anonymous

2025-04-10T07:19:42.98+00:00

Hi Divya Mohan P, I understand you are confused which role to use to integrate with Amazon Web Services S3 connectors.

Based on the Microsoft Documentation https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3#create-an-open-id-connect-oidc-web-identity-provider-and-an-aws-assumed-role

The value of the sts:RoleSessionName parameter must have the exact prefix MicrosoftSentinel_

Hence to resolve the issue, you need to use MicrosoftSentinel_ as the value.

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

If any other queries - free feel to reach out!
Divya Mohan P 20 Reputation points

2025-04-10T07:38:14.7933333+00:00

Hi

I have followed the document when I first set up the role. and the role session name MicrosoftSentinel_ was working perfectly for months.

It stopped working on 27-March-2025. Then I found the question https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors where it stated

"The RoleSessionName that Microsoft sends has changed from MicrosoftSentinel_ to MicrosoftDefenderForClouds_."

so I changed it to MicrosoftDefenderForClouds_ and that worked for sometime and next day it failed again.

I reverted back to MicrosoftSentinel_ then it started working for last two days .

My question is about the consistency , and which role session name I should use.? MicrosoftSentinel_ works as of now ( as per documentation ) but will it stop working again ?
Anonymous

2025-04-10T08:45:10.4066667+00:00

Hi Divya Mohan P, I guess there might be a change in your setup but based on the Microsoft Document MicrosoftSentinel_ will work in future too.

If any other queries - free feel to reach out!
Pauline Mbabu 1,835 Reputation points Microsoft Employee

2025-04-10T10:14:09.7733333+00:00

Hello @Divya Mohan P ,
You are right, there was a change that was pushed that changed role session name from MicrosoftSentinel_ to MicrosoftDefenderForClouds_ but that later changed back to MicrosoftSentinel_.
I am trying to find out why this happened but as Rukmini mentioned the MicrosoftSentinel_ should work.
Divya Mohan P 20 Reputation points

2025-04-10T10:20:39.3033333+00:00

@Pauline Mbabu
If you are referring this repo https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1

it was done by me and I have been in discussion with the code owners , and it has been revered back today since the new session name fails.

my reference was this
https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors
Pauline Mbabu 1,835 Reputation points Microsoft Employee

2025-04-10T11:30:08.82+00:00

I was referencing a different conversation on a different platform. I wanted to know why the roleSessionname being passed by Sentinel to AWS had changed.
I see the repo you created based on the comment that was left regarding this change, but I see this change has also been reverted.
To answer your question, we apologize for the abrupt changes and kindly use MicrosoftSentinel_ as per documentation.

Answer accepted by question author

0 additional answers

Your answer

Anonymous

2025-04-09T10:20:18.17+00:00

Hello @Divya Mohan P, The issue with the inconsistent RoleSessionName in AWS occurs due to incorrect formatting, such as mismatched braces or invalid characters. Ensure the RoleSessionName follows the correct format, like MicrosoftSentinel_{WORKSPACE_ID}, and verify the IAM role's trust policy allows the assumed role using OIDC with the correct session name.
Pauline Mbabu 1,835 Reputation points Microsoft Employee

2025-04-09T13:16:47.2933333+00:00

Hello @Divya Mohan P ,
I am checking internally on this with the relevant team. I will get back
Anonymous

2025-04-10T05:43:12.9866667+00:00

@Divya Mohan P, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Divya Mohan P 20 Reputation points

2025-04-10T06:26:17.0033333+00:00

hi
Thanks for your reply.

It's working for last two days with role MicrosoftSentinel_ . Which was set earlier
I changed it to another role MicrosoftDefenderForClouds_ according to https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors

and that worked for one day and then stopped working so I reverted it back to MicrosoftSentinel_

So is it possible to confirm which role needs to be used.

I have raised PR for updating the code and documentation.

Thanks,
Divya
Anonymous

2025-04-10T07:19:42.98+00:00

Hi Divya Mohan P, I understand you are confused which role to use to integrate with Amazon Web Services S3 connectors.

Based on the Microsoft Documentation https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3#create-an-open-id-connect-oidc-web-identity-provider-and-an-aws-assumed-role

The value of the sts:RoleSessionName parameter must have the exact prefix MicrosoftSentinel_

Hence to resolve the issue, you need to use MicrosoftSentinel_ as the value.

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

If any other queries - free feel to reach out!
Divya Mohan P 20 Reputation points

2025-04-10T07:38:14.7933333+00:00

Hi

I have followed the document when I first set up the role. and the role session name MicrosoftSentinel_ was working perfectly for months.

It stopped working on 27-March-2025. Then I found the question https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors where it stated

"The RoleSessionName that Microsoft sends has changed from MicrosoftSentinel_ to MicrosoftDefenderForClouds_."

so I changed it to MicrosoftDefenderForClouds_ and that worked for sometime and next day it failed again.

I reverted back to MicrosoftSentinel_ then it started working for last two days .

My question is about the consistency , and which role session name I should use.? MicrosoftSentinel_ works as of now ( as per documentation ) but will it stop working again ?
Anonymous

2025-04-10T08:45:10.4066667+00:00

Hi Divya Mohan P, I guess there might be a change in your setup but based on the Microsoft Document MicrosoftSentinel_ will work in future too.

If any other queries - free feel to reach out!
Pauline Mbabu 1,835 Reputation points Microsoft Employee

2025-04-10T10:14:09.7733333+00:00

Hello @Divya Mohan P ,
You are right, there was a change that was pushed that changed role session name from MicrosoftSentinel_ to MicrosoftDefenderForClouds_ but that later changed back to MicrosoftSentinel_.
I am trying to find out why this happened but as Rukmini mentioned the MicrosoftSentinel_ should work.
Divya Mohan P 20 Reputation points

2025-04-10T10:20:39.3033333+00:00

@Pauline Mbabu
If you are referring this repo https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/Utils/CommonAwsPolicies.ps1

it was done by me and I have been in discussion with the code owners , and it has been revered back today since the new session name fails.

my reference was this
https://learn.microsoft.com/en-sg/answers/questions/2240042/amazon-web-services-s3-connectors
Pauline Mbabu 1,835 Reputation points Microsoft Employee

2025-04-10T11:30:08.82+00:00

I was referencing a different conversation on a different platform. I wanted to know why the roleSessionname being passed by Sentinel to AWS had changed.
I see the repo you created based on the comment that was left regarding this change, but I see this change has also been reverted.
To answer your question, we apologize for the abrupt changes and kindly use MicrosoftSentinel_ as per documentation.

Answer 1

Hello @Divya Mohan P,

I understand the confusion caused by the recent inconsistency with the RoleSessionName used by Microsoft Sentinel when assuming the AWS role.

According to the official Microsoft documentation, the session name should start with MicrosoftSentinel_. This had been working consistently until around March 27, 2025, when it was observed that the session name changed to MicrosoftDefenderForClouds_, which led to integration failures for some users.

The value of the sts:RoleSessionName parameter must have the exact prefix MicrosoftSentinel_

User's image

As confirmed by @Pauline Mbabu, this change was later reverted, and MicrosoftSentinel_ is the correct and supported session name prefix. We will find the cause of the change made.

For consistency and reliability, it is recommended to continue using MicrosoftSentinel_ in the AWS IAM trust policy.Hope this helps!

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.

User's image

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Anonymous

2025-04-14T03:46:02.2+00:00

@Hello @Divya Mohan P, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Anonymous

2025-04-15T04:57:35.79+00:00

@Hello @Divya Mohan P, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.

Share via

AWS assumed role - RoleSessionName is not working consistently.

0 additional answers

Your answer