My understanding is that as of This change we can now assume roles for up to 12h?
aws-vault still gives the error
aws-vault: error: Maximum duration for assumed roles is 1h0m0s
If my understanding is correct, this can be changed by increasing this value
+1 for this feature request
There's already a ticket and a PR for this
Just merged https://github.com/99designs/aws-vault/pull/240.
I don't believe this is going to work.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
Role chaining limits your AWS CLI or API role session to a maximum of one hour.
If you have MFA, we need to go with root credentials -> sts session -> assume role. The intermediate session limits you to 1 hour.
I was able to get this to work:
aws-vault exec --assume-role-ttl 12h --no-session --debug my-profile-that-assumes-roles
The downside of that is that you will be prompted for your MFA each time. Normally we create a session and cache that.
I'm ok with being asked for the MFA per session, if I don't have to see the session expire in an hour
What is chaining in this context?
Is the process of using STS chaining?
In my work flow, I login to an IAM account and only assume a role in another account
iam credentials -> assume role basically @FernandoMiguel
Without --no-session, it creates an STS session in the middle: iam credentials -> sts session -> assume role
I see... and that breaks the total time @lox ?
@lox your workaround did not work for me on v4.2.1. I'm on Linux Mint. I still get aws-vault: error: Maximum duration for assumed roles is 1h0m0s
Also - isn't the maximum for a session 36h now? https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html
@nocode99 - When you go to the IAM Management console, and click on the role, it should have an option for "Maximum CLI/API session duration" - I think you may need to increase that to 12h?
Ah - I didn't realize that had to be set. I went ahead and set it immediately and still getting same message after 15m thinking it might be eventually consistent. The config I was using looked like:
[profile profile1]
region=us-east-1
[profile admin]
source_profile = profile1
role_arn = arn:aws:iam::12345:role/Admin
mfa_serial = arn:aws:iam::12345:mfa/my_user
and I was executing aws-vault exec --no-session --assume-role-ttl 12h --debug admin
Ultimately, what I'm hoping to accomplish is having users getting temporary credentials via aws-vault using MFA and then starting a tmux session.
Just to check, are you compiling the code?
The most recent version from https://github.com/99designs/aws-vault/releases is 20 days ago, and @lox only merged #240 14 days ago, so this wouldn't be in v4.2.1.
Sorry I was out on vacation. Looks like using the latest dev version solved it for me. Thanks!
Looking forward to this making it into the next release!
Most helpful comment
I was able to get this to work:
aws-vault exec --assume-role-ttl 12h --no-session --debug my-profile-that-assumes-roles