Force role session name in AWS IAM

I want to enforce users to use role session name when assuming a role in AWS. I’ve tried the following condition in IAM policies:

    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<redacted>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "sts:RoleSessionName": "${aws:username}"
        }
      }
    }

While this works fine when assuming a role as a user it does not work when assuming a role from a role with administrator privileges (Allow * on *). The only way to block this would be an explicit Deny when a role tries to assume a given role and does not have session name set up. Any ideas how to write a policy doing this? A simple Deny like below does not work because aws:username is not present when Assumed Role is the principal (see docs).

    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::<redacted>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringNotLike": {
          "sts:RoleSessionName": "${aws:username}"
        }
      }
    }

Go to Source
Author: pmichna