When performing an aws-vault exec, attempting to set an --assume-role-ttl time greater than 1h results in the following error:
ValidationError: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
The AWS documentation states that Role chaining defaults to a 1h limit, but can be extended up to 12h.
Attempting to do set the role chaining limit with --session-ttl=4h doesn't address the problem, however it is possible to set a longer --assume-role-ttl by using --no-session instead.
It's not clear to me whether --session-ttl should be setting the role chaining limit or not. In order to identify that --no-session would address the issue required reading the provider code and understanding the internals. This shouldn't be necessary and either the command arguments should do what's expected, for example --assume-role-ttl should set both the "role chaining" TTL as well as the target role TTL, or the documentation should be made clearer to instruct the user how --assume-role-ttl is correctly used.
You need to first change your role on aws side.
Also, that feature isn't in aws-vault just yet.
AFAIK it's been merged to master but no new builds made with it included.
You can build from source a d try
--
Fernando Miguel
On Thu, 31 May 2018, 15:51 Jinn Koriech, notifications@github.com wrote:
When performing an aws-vault exec, attempting to set an --assume-role-ttl
time greater than 1h results in the following error:ValidationError: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
The AWS documentation states that Role chaining
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
defaults to a 1h limit, but can be extended up to 12h.Attempting to do set the role chaining limit with --session-ttl=4h
doesn't address the problem, however it is possible to set a longer
--assume-role-ttl by using --no-session instead.It's not clear to me whether --session-ttl should be setting the role
chaining limit or not. In order to identify that --no-session would
address the issue required reading the provider code and understanding the
internals. This shouldn't be necessary and either the command arguments
should do what's expected, for example --assume-role-ttl should set both
the "role chaining" TTL as well as the target role TTL, or the
documentation should be made clearer to instruct the user how
--assume-role-ttl is correctly used.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/99designs/aws-vault/issues/263, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAKRrkB9ih0oAmKvMOCEwn5RgxCA7oi-ks5t4ANlgaJpZM4UVMKb
.
Any idea when master will be released?
New release is here https://github.com/99designs/aws-vault/releases/tag/v4.3.0
Re-open if this doesn't solve your issue!
Thanks!
I think that is not solved. When I try to assume a role with ttl > 1 hour, i can't. But if I use --no-session parameter, it seems to work.
$ aws-vault --version
v4.4.1
Without --no-session parameter:
$ aws-vault exec profile --assume-role-ttl=8h --debug
2018/10/17 09:24:14 [keyring] Considering backends: [file]
2018/10/17 09:24:14 Loading config file /home/username/.aws/config
2018/10/17 09:24:14 Parsing config file /home/username/.aws/config
2018/10/17 09:24:14 Looking for sessions for profile
2018/10/17 09:24:14 Looking up all keys in keyring
2018/10/17 09:24:14 [keyring] Expanded file dir to /home/username/.awsvault/keys/
2018/10/17 09:24:14 Session not found in keyring for profile
2018/10/17 09:24:14 Looking up keyring for master-profile
2018/10/17 09:24:14 [keyring] Expanded file dir to /home/username/.awsvault/keys/
2018/10/17 09:24:14 [keyring] Expanded file dir to /home/username/.awsvault/keys/
Enter passphrase to unlock /home/username/.awsvault/keys/:
Enter token for arn:aws:iam::XXXXXXXXXX:mfa/username: 123456
2018/10/17 09:24:24 Using region "eu-west-1" from profile
2018/10/17 09:24:24 Getting new session token for profile master-profile
2018/10/17 09:24:25 Writing session for profile to keyring: "profile session (XXXXXXXXXX)"
2018/10/17 09:24:25 [keyring] Expanded file dir to /home/username/.awsvault/keys/
2018/10/17 09:24:25 [keyring] Expanded file dir to /home/username/.awsvault/keys/
2018/10/17 09:24:25 Using session ********************, expires in 3h59m59.608664887s
2018/10/17 09:24:25 Using region "eu-west-1" from profile
2018/10/17 09:24:25 Assuming role arn:aws:iam::XXXXXXXXXX:role/role from session token
aws-vault: error: Failed to get credentials for master-profile (source profile for profile): ValidationError: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
status code: 400, request id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
With --no-session:
$ aws-vault exec profile --assume-role-ttl=8h --debug --no-session
2018/10/17 09:15:16 [keyring] Considering backends: [file]
2018/10/17 09:15:16 Loading config file /home/username/.aws/config
2018/10/17 09:15:16 Parsing config file /home/username/.aws/config
2018/10/17 09:15:16 Skipping session token and using master credentials directly
2018/10/17 09:15:16 Looking up keyring for master-profile
2018/10/17 09:15:16 [keyring] Expanded file dir to /home/username/.awsvault/keys/
2018/10/17 09:15:16 [keyring] Expanded file dir to /home/username/.awsvault/keys/
Enter passphrase to unlock /home/username/.awsvault/keys/:
2018/10/17 09:15:21 Using region "eu-west-1" from profile
Enter token for arn:aws:iam::XXXXXXXXXXXX:mfa/username: 123456
2018/10/17 09:15:27 Assuming role arn:aws:iam::XXXXXXXXXXXX:role/role with iam credentials
2018/10/17 09:15:28 Using role ********************, expires in 7h59m59.667042926s
2018/10/17 09:15:28 Setting subprocess env: AWS_DEFAULT_REGION=eu-west-1, AWS_REGION=eu-west-1
2018/10/17 09:15:28 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2018/10/17 09:15:28 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
@beeva-victorperez as the error mentions seems you are assuming a role with a session token. AWS restricts it to a maximum of 1 hour. It is as per design. The limit mentioned in the AWS docs is for direct assume role and it needs changes in the role configuration, AWS creates roles restricted to 1hr by default.
I changed in the role configuration to 8 hours. But only works if I use --no-session parameter. Is it neccesary to use --no-session if I want a duration > of 1 hour?
Yes, otherwise the session token wont allow you
@frezbo thanks!!!
Make sure you already changed your role to allow 8h or more.
And if you are cross assuming roles, both should have that set
AWS API's regarding assume roles and federation has a lot of restrictions with session tokens.
this only works with --no-session parameter
will there be any update for no --no-session parameter
You can get up to a one hour session without needing to use the --no-session argument. I think this is actually a limitation of STS:
aws-vault exec --assume-role-ttl=2h sandbox-admin -- env
ValidationError: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
I have an IAM User in a bastion account. and I am assuming a role in another account
However I can get a 1hour session
aws-vault exec --assume-role-ttl=1h sandbox-admin -- env
This is indeed sts: https://forums.aws.amazon.com/thread.jspa?messageID=857346&tstart=0
Hello,
Thank you for your question. Earlier this year we launched a feature which lets you increase the duration of your role session however, currently we do not support the role chaining use case for this feature. We have this in our backlog for future prioritization.
Thank you.