aws-cli-federator
aws-cli-federator copied to clipboard
aidan-
add duration parameter
Working on something over the day got annoying when my credentials kept expiring. This allows a duration to be set for the temporary keys but defaults to 1 hour.
AWS have announced the ability to increase the assume-role time. It looks like your patch may now work, but you need to adjust the Maximum CLI/API session duration value on a per Role basis.
Do you want to try this and see if your PR still works? I'm not sure what happens if you try and set the expiration to greater than the set max value. Perhaps the user should be informed that the value can/needs to be increased?
It might also be a good idea to do some checking to make sure the user doesn't set it passed 12hours (that seems to be the upper limit).
EDIT: link to AWS announcement: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html?icmpid=docs_iam_console
It works with the higher duration now! I also tested using the -account flag to use a different duration and added it to the readme.
If you try to use a duration higher than allowed for the role the error that comes through is pretty readable by default:
ERROR: Failed to assume role: Unable to assume role: ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
Should I catch this and rewrite the error to specifically suggest "you need to lower your duration value below the MaxSessionDuration"?
👋 In my opinion, yes, because a small tool like this is easy to make extremely user-friendly.
I'm going to try out your fork @colbyprior and give any, ahem, feedback.
@colbyprior Nice work! I think its worth capturing this specific exception and returning a more friendly error with some details about this new feature. The configuration itself may not be very obvious for someone who isn't aware of this feature change (most people just assume you cannot do it).
The other thing I am still pondering about is how best to allow a user to configure an increased role duration. Implementing it against the account config might not be the best place, as it is very likely that one role has the extended duration enabled while no other roles in that account do. This would result in the user unable to assume these other roles.
Berg reminded me to look at this again. So the way I was managing accounts that had limits on their session duration was like this:
[account_map]
0123456789 = account-1
1123456789 = account-2
[default]
sp_identity_url = https://example.com/
[long]
sp_identity_url = https://example.com/
duration = 7200
Then calling it with aws-cli-federator --account long. This is still the case however I also added a flag --duration so that you can override the value.
eg: aws-cli-federator --duration 7200
What do you think?
@colbyprior That's looking good! I still think it would be ideal to capture the error raised when the user provides a duration greater than what the configured maximum is for that role and return something a bit more helpful. Even if its the same message but informing the user that this is a Role specific AWS configuration.
You need to either change the requested duration to be >900 and <3600 or alter the role's MaxSessionDuration via the console.
I struggled a bit with getting code to catch the exception, I hope I added that correctly.
It will now catch the ValidationError and display that error if the session duration is higher then what the account allows.
