6

I am setting up our AWS to have multiple accounts, with our IAM users defined in one account and our resources defined in one or more other accounts, with policies set up to allow users to assume roles on the production and staging accounts. I am using this Coinbase blog postas a guide. In a nutshell, the approach is to call aws sts get-session-token to get temporary credentials (you have to do this if you use MFA), and then use those credentials to call assume-role for the role you want.

However, it appears that you can't assume-role with a duration any longer than an hour using temporary credentials. When I run this:

aws sts assume-role --role-arn arn:aws:iam::<REDACTED>:role/power-user --role-session-name my_session --duration <DURATION> If I use a duration any longer than an hour, I get this error: An error occurred (ValidationError) when calling the AssumeRole operation: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.

This will be a hard sell for my dev team if they have to enter their MFA tokens once an hour. Is there a way to assume-role with teporary credentials that last more than an hour?

David Ham
  • 833
  • 3
  • 12
  • 27
  • 2
    The STS session token last 12 hours by default. They will just have to assume the role again every hour not enter their MFA token. – Brandon Miller Jun 02 '18 at 17:13
  • updated your aws cli ? – Varun Chandak Jun 03 '18 at 14:17
  • @kintuparantu: I think it's the most current version: `$ aws --version aws-cli/1.15.20 Python/3.6.5 Darwin/17.5.0 botocore/1.10.20` – David Ham Jun 03 '18 at 15:22
  • 2
    @BrandonMiller, this was a good point, I had not realized it, but it kind of amounts to the same thing--my team's commands will fail unexpectedly because their creds will have timed out. `aws sts-assume-role` accepts a `durationSeconds` parameter that can be up to 12 hours, my issue is that this limit seems to be an hour when using temporary credentials. – David Ham Jun 03 '18 at 15:26

2 Answers2

7

You can assume a role for 12 hours if you are using IAM long-term creds. Whereas if you are using temporary creds (e.g. from GetSessionToken API) to call AssumeRole, then you cannot assume the role for more than an hour.

I wonder why would you need to call GetSessionToken API first and not use AssumeRole API directly with MFA?

Rachit Jain
  • 192
  • 1
  • 1
  • 9
  • 1
    I was using a CLI script that did this, but now that I know this limitation I don't know why they did `get-session-token` first. – David Ham Jun 07 '18 at 18:12
  • 1
    Ok, general rule of thumb here is any temporary creds when used to request temporary creds are considered as part of Role Chaining and they are limited to 1hour. Exception is only Roles for EC2, which are placed on an EC2 instance and using that creds you can request temporary creds that are up to 12 hours. – Rachit Jain Jun 07 '18 at 19:41
-1

According the documentation a role's max duration can be changed in IAM:

To view a role's maximum session duration (console) In the navigation pane of the IAM console, choose Roles.

Choose the name of the role that you want to view.

Next to Maximum session duration, view the maximum session length that is granted for the role. This is the maximum session duration that you can specify in your AWS CLI, or API operation.

enter image description here

Spiff
  • 3,873
  • 4
  • 25
  • 50