Aws-vault: Can MaxAssumeRoleDuration be increased?

Created on 18 Apr 2018  路  18Comments  路  Source: 99designs/aws-vault

My understanding is that as of This change we can now assume roles for up to 12h?

aws-vault still gives the error
aws-vault: error: Maximum duration for assumed roles is 1h0m0s

If my understanding is correct, this can be changed by increasing this value

Most helpful comment

I was able to get this to work:

aws-vault exec --assume-role-ttl 12h --no-session --debug my-profile-that-assumes-roles

All 18 comments

+1 for this feature request

There's already a ticket and a PR for this

I don't believe this is going to work.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

Role chaining limits your AWS CLI or API role session to a maximum of one hour.

If you have MFA, we need to go with root credentials -> sts session -> assume role. The intermediate session limits you to 1 hour.

I was able to get this to work:

aws-vault exec --assume-role-ttl 12h --no-session --debug my-profile-that-assumes-roles

The downside of that is that you will be prompted for your MFA each time. Normally we create a session and cache that.

I'm ok with being asked for the MFA per session, if I don't have to see the session expire in an hour

What is chaining in this context?
Is the process of using STS chaining?
In my work flow, I login to an IAM account and only assume a role in another account

iam credentials -> assume role basically @FernandoMiguel

Without --no-session, it creates an STS session in the middle: iam credentials -> sts session -> assume role

I see... and that breaks the total time @lox ?

@lox your workaround did not work for me on v4.2.1. I'm on Linux Mint. I still get aws-vault: error: Maximum duration for assumed roles is 1h0m0s

Also - isn't the maximum for a session 36h now? https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html

@nocode99 - When you go to the IAM Management console, and click on the role, it should have an option for "Maximum CLI/API session duration" - I think you may need to increase that to 12h?

Ah - I didn't realize that had to be set. I went ahead and set it immediately and still getting same message after 15m thinking it might be eventually consistent. The config I was using looked like:

[profile profile1]
region=us-east-1

[profile admin]
source_profile = profile1
role_arn = arn:aws:iam::12345:role/Admin
mfa_serial = arn:aws:iam::12345:mfa/my_user

and I was executing aws-vault exec --no-session --assume-role-ttl 12h --debug admin

Ultimately, what I'm hoping to accomplish is having users getting temporary credentials via aws-vault using MFA and then starting a tmux session.

Just to check, are you compiling the code?

The most recent version from https://github.com/99designs/aws-vault/releases is 20 days ago, and @lox only merged #240 14 days ago, so this wouldn't be in v4.2.1.

Sorry I was out on vacation. Looks like using the latest dev version solved it for me. Thanks!

Looking forward to this making it into the next release!

Was this page helpful?
0 / 5 - 0 ratings