Is this something of interest for assume roles when using aws-vault?
If so, maybe either provide the user with some information or have an api call to modify the maximum session duration of a role to allow up to 12h.
Enable Federated API Access to your AWS Resources for up to 12 hours Using IAM Roles https://aws.amazon.com/blogs/security/enable-federated-api-access-to-your-aws-resources-for-up-to-12-hours-using-iam-roles/
Yes, I think that aws-vault would need to specify a new value; the longer sessions would be a real improvement.
Would happily accept a PR!
First I'm going to get myself updated to 4.2.0 -- then I'll look into how much I keep running into the timeouts. It does seem like an opportunity for a simple PR.
the biggest problem i see most users facing is running long terraform deploys and the token expiring
especially for us with MFA, it expires in one hour.
if this new setting allow us to push that longer, it would be great
@FernandoMiguel remind me why those users can't use the metadata server for fresh creds?
I do run it with --server sometimes.
But not everyone knows about it or wants to run root.
Also I sometimes need to run more than one profile and if I have a daemon
it becomes a problem very fast.
And lastly, when running in --server, when the mfa expires, at least
terraform fails to auth in the 1st run, a pop up asks for the key chain
password to unlock, and then I have to rerun terraform for it to get the
valid auth.
Linux users don't get that pop-up making it harder to be aware it expired.
looks like the adjustments are just right here?
However, it is dictated by the role itself - see the linked blog post, So I wonder will aws-vault need to look up the value by describing the role?
or just the user enter whatever they want and return the error at aws provides :)
this has now been merged
Most helpful comment
I do run it with --server sometimes.
But not everyone knows about it or wants to run root.
Also I sometimes need to run more than one profile and if I have a daemon
it becomes a problem very fast.
And lastly, when running in --server, when the mfa expires, at least
terraform fails to auth in the 1st run, a pop up asks for the key chain
password to unlock, and then I have to rerun terraform for it to get the
valid auth.
Linux users don't get that pop-up making it harder to be aware it expired.