From f4329a036ab2e8d4a2e5f7442e60faf452ebbde8 Mon Sep 17 00:00:00 2001
From: Stefan Sedich <stefan.sedich@gmail.com>
Date: Mon, 7 Dec 2020 15:22:43 -0800
Subject: [PATCH 1/2] Log session-name and external-id when logging credentials

---
 pkg/aws/sts/log.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pkg/aws/sts/log.go b/pkg/aws/sts/log.go
index 235df5d4..de012a7c 100644
--- a/pkg/aws/sts/log.go
+++ b/pkg/aws/sts/log.go
@@ -14,13 +14,25 @@
 package sts
 
 import (
+	"strings"
+
 	log "github.com/sirupsen/logrus"
 )
 
 func CredentialsFields(identity *RoleIdentity, creds *Credentials) log.Fields {
-	return log.Fields{
+	fields := log.Fields{
 		"credentials.access.key": creds.AccessKeyId,
 		"credentials.expiration": creds.Expiration,
 		"credentials.role":       identity.Role,
 	}
+
+	if identity.SessionName != "" {
+		fields["credentials.session-name"] = identity.SessionName
+	}
+
+	if identity.ExternalID != "" {
+		fields["credentials.external-id"] = strings.Repeat("*", len(identity.ExternalID))
+	}
+
+	return fields
 }

From 9c6f4f38d3b7b5016c93086636878fb3f39e95b7 Mon Sep 17 00:00:00 2001
From: Stefan Sedich <stefan.sedich@gmail.com>
Date: Mon, 7 Dec 2020 15:28:40 -0800
Subject: [PATCH 2/2] Log the ARN and not the object

---
 pkg/aws/sts/log.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/aws/sts/log.go b/pkg/aws/sts/log.go
index de012a7c..dcc3a3af 100644
--- a/pkg/aws/sts/log.go
+++ b/pkg/aws/sts/log.go
@@ -23,7 +23,7 @@ func CredentialsFields(identity *RoleIdentity, creds *Credentials) log.Fields {
 	fields := log.Fields{
 		"credentials.access.key": creds.AccessKeyId,
 		"credentials.expiration": creds.Expiration,
-		"credentials.role":       identity.Role,
+		"credentials.role":       identity.Role.ARN,
 	}
 
 	if identity.SessionName != "" {