Hi,
Given the following config
[profile default]
region=us-east-1
[profile prod]
source_profile = default
role_arn = arn:aws:iam::111111111111:role/SomeRole
mfa_serial = arn:aws:iam::222222222222:mfa/SomeUsername
And the credentials for the default profile saved in aws-vault, running
aws-vault exec --assume-role-ttl=8h prod bash
Fails with
ValidationError: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
This is explained in the IAM documentation
However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
In this configuration, there should be no chaining happening, you can set both the MFA and the Role when using sts.NewCredentials, see an example here
I think the fix is to change provider.go to not use GetSessionToken then AssumeRole but to combine them when both the mfa and the role config are present.
Thanks
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Any chance for this to ever get fixed?
Yes absolutely @hamstah, awaiting your PR
I initially opened the PR so someone more familiar with the code base could
fix the issue faster as I think it requires a quite a bit of refactoring
and was hoping someone could suggest the best way to go about doing it
instead of just spending time on my own to them potentially being rejected
for not being the right way.
Given that the issue received no acknowledgment or suggestion I moved on
and stopped using aws-vault as this was a deal breaker for my use case.
I replied to the issue being closed to keep it open as I still think it's a
missing use case for the tool and shouldn't be ignored.
Given the amount of work and the fact that I don't use the tool anymore I'm
not going to invest time into making a PR myself as I don't have the time
right now.
On Thu, 19 Sep 2019 at 20:26, Michael Tibben notifications@github.com
wrote:
Yes absolutely @hamstah https://github.com/hamstah, awaiting your PR
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/99designs/aws-vault/issues/351?email_source=notifications&email_token=AABN7DSDI4IIQJRAO7FBZBLQKO76TA5CNFSM4HAE3KF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7EMVDA#issuecomment-533252748,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABN7DVQLIA5P4F32AESUFLQKO76TANCNFSM4HAE3KFQ
.
OK, no worries. We don't keep issues open if they aren't going to be actively worked on. Feel free to reopen if you get time to work on it!
@mtibben I know you closed this before... However, I think this issue still persists?
It's actually really annoying. It means when using a role + MFA you cant increase the session duration, so once an hour you have to create a new aws-vault session and enter your password (a few times). When a team use this, its actually one of their top frustrations. What do you think could be done to fix it? It looks like quite a refactor.
Does v6 fix this issue for you?
@mtibben this is still an issue in v6.
v6 doesn't use sessions necessarily. See the table in the readme. If you're experiencing an issue its different to what's described here, so, create a new issue
It's the exact same issue as the poster above described. Same setup, etc. I did try --no-session as well. This isn't blocking me, just wanted to answer your question from 6/17/2020.
OK can you please create a new issue. I believe this issue was addressed in v6 and so we'll need to see your exact config