Add docs for SessionNameRaw variable in access entries

fincd-aws · easymrgr · commit 233f22fbd733 · 2025-04-10T16:17:55.000Z
diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc
@@ -27,7 +27,7 @@ Before creating access entries, consider the following:
 * If the type of the access entry is `STANDARD`, you can specify a _username_ for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username:
 +
 ** It can't start with `system:`, `eks:`, `aws:`, `amazon:`, or `iam:`.
-** If the username is for an IAM role, we recommend that you add `{{SessionName}}` to the end of your username. If you add `{{SessionName}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the session specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that the special character "@" is replaced with "-" in the session name. 
+** If the username is for an IAM role, we recommend that you add `{{SessionName}}` or `{{SessionNameRaw}}` to the end of your username. If you add either `{{SessionName}}` or `{{SessionNameRaw}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the {aws} STS session name that is specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that in `{{SessionName}}` the special character "@" is replaced with "-" in the session name. `{{SessionNameRaw}}` keeps all special characters in the session name.
 +
 [cols="1,1,1", options="header"]
 |===

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ Before creating access entries, consider the following:`
`27`	`27`	* If the type of the access entry is `STANDARD`, you can specify a _username_ for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username:
`28`	`28`	`+`
`29`	`29`	** It can't start with `system:`, `eks:`, `aws:`, `amazon:`, or `iam:`.
`30`		-** If the username is for an IAM role, we recommend that you add `{{SessionName}}` to the end of your username. If you add `{{SessionName}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the session specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that the special character "@" is replaced with "-" in the session name.
	`30`	+** If the username is for an IAM role, we recommend that you add `{{SessionName}}` or `{{SessionNameRaw}}` to the end of your username. If you add either `{{SessionName}}` or `{{SessionNameRaw}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the {aws} STS session name that is specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that in `{{SessionName}}` the special character "@" is replaced with "-" in the session name. `{{SessionNameRaw}}` keeps all special characters in the session name.
`31`	`31`	`+`
`32`	`32`	`[cols="1,1,1", options="header"]`
`33`	`33`	`\|===`