feat: updates for transitive tagging

README.md

@@ -218,7 +218,7 @@ run.*
 
 The session will be tagged with the
 following tags: (Refer to [GitHub's documentation for `GITHUB_` environment
-variable definitions](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables))
+variable definitions](https://docs.github.com/en/actions/reference/workflows-and-actions/variables#default-environment-variables))
 
 | Key        | Value             |
 | ---------- | ----------------- |
@@ -238,12 +238,14 @@ will be replaced with an '*'._
 
 The action will use session tagging by default unless you are using OIDC.
 
-To forward session tags to subsequent sessions in a role chain, you can use the 
-`transitive-tag-keys` input to specify the keys of the tags to be passed. Eg.
+To [forward session tags to subsequent sessions in a role chain](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining), 
+you can use the `transitive-tag-keys` input to specify the keys of the tags to be passed.
+
+_Note that all subsequent roles in the chain must have `role-skip-session-tagging` set to `true`_
 ```yaml
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@v5
       with:
-        transitive-tag-keys:
+        transitive-tag-keys: |
           Repository
           Workflow
           Action

src/assumeRole.ts

@@ -9,6 +9,7 @@ import { errorMessage, isDefined, sanitizeGitHubVariables } from './helpers';
 
 async function assumeRoleWithOIDC(params: AssumeRoleCommandInput, client: STSClient, webIdentityToken: string) {
   delete params.Tags;
+  delete params.TransitiveTagKeys;
   core.info('Assuming role with OIDC');
   try {
     const creds = await client.send(
@@ -123,7 +124,10 @@ export async function assumeRole(params: assumeRoleParams) {
     core.debug(`${tags.length} role session tags are being used.`);
   }
 
-  const transitiveTagKeysArray = transitiveTagKeys?.filter((key) => tags?.some((tag) => tag.Key === key));
+  //only populate transitiveTagKeys array if user is actually using session tagging
+  const transitiveTagKeysArray = roleSkipSessionTagging
+    ? undefined
+    : transitiveTagKeys?.filter((key) => tags?.some((tag) => tag.Key === key));
 
   // Calculate role ARN from name and account ID (currently only supports `aws` partition)
   let roleArn = roleToAssume;
@@ -141,7 +145,7 @@ export async function assumeRole(params: assumeRoleParams) {
     RoleSessionName: roleSessionName,
     DurationSeconds: roleDuration,
     Tags: tags ? tags : undefined,
-    TransitiveTagKeys: transitiveTagKeysArray,
+    TransitiveTagKeys: transitiveTagKeysArray ? transitiveTagKeysArray : undefined,
     ExternalId: roleExternalId ? roleExternalId : undefined,
     Policy: inlineSessionPolicy ? inlineSessionPolicy : undefined,
     PolicyArns: managedSessionPolicies?.length ? managedSessionPolicies : undefined,
@@ -169,4 +173,4 @@ export async function assumeRole(params: assumeRoleParams) {
     );
   }
   return assumeRoleWithCredentials(commonAssumeRoleParams, stsClient);
-}
+}

src/helpers.ts

@@ -20,6 +20,7 @@ export function translateEnvVariables() {
     'ROLE_EXTERNAL_ID',
     'ROLE_SESSION_NAME',
     'ROLE_SKIP_SESSION_TAGGING',
+    'TRANSITIVE_TAG_KEYS',
     'INLINE_SESSION_POLICY',
     'MANAGED_SESSION_POLICIES',
     'OUTPUT_CREDENTIALS',