diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java
index b9edc41c724..d16f00fe4d1 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/store/CloudStore.java
@@ -420,14 +420,12 @@ String getAssumeRoleSessionName(final String principal) {
         // and does not contain any invalid characters. From aws docs:
         //   Length Constraints: Minimum length of 2. Maximum length of 64.
         //   Pattern: [\w+=,.@-]*
-        // Athenz principals can also include _'s which are not allowed
-        // but the system admin can enable it, so we'll replace those
-        // with ='s if we come across. And we'll truncate the principal
-        // name to 60 and add insert ... in the middle to indicate truncation
+        // if the Athenz principal identity is longer than 64 characters,
+        // we'll truncate the principal name to 60 and add insert ... in
+        // the middle to indicate truncation
 
-        String roleSessionName = (principal.length() > 64) ?
+        return (principal.length() > 64) ?
                 principal.substring(0, 30) + "..." + principal.substring(principal.length() - 30) : principal;
-        return roleSessionName.replaceAll("_", "=");
     }
 
     AssumeRoleRequest getAssumeRoleRequest(final String account, final String roleName, Integer durationSeconds,
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java
index 1548b88f3f3..e9dd4c0c247 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/store/CloudStoreTest.java
@@ -187,7 +187,7 @@ public void testGetAssumeRoleRequest() {
 
         req = store.getAssumeRoleRequest("12345", "adminuser", 101, "external", "athenz.api_service-test");
         assertEquals("arn:aws:iam::12345:role/adminuser", req.getRoleArn());
-        assertEquals("athenz.api=service-test", req.getRoleSessionName());
+        assertEquals("athenz.api_service-test", req.getRoleSessionName());
         assertEquals(Integer.valueOf(101), req.getDurationSeconds());
         assertEquals("external", req.getExternalId());