configure-aws-credentials icon indicating copy to clipboard operation
configure-aws-credentials copied to clipboard
verified publisher icon aws-actions

Proposal: Reduce role duration default from 6 hours to 1 hour

Open amancevice opened this issue 5 years ago • 6 comments

The action default for role-duration-seconds is 6 hours but the CLI default is 1 hour. I think these defaults should be consistent.

amancevice avatar Jul 31 '20 16:07 amancevice

@amancevice thanks for reporting this issue. This has been raised in the past, but we had decided at the time to maintain the 6 hour default as this could potentially be a breaking change (if users depended on that behaviour).

That being said, if this is a use case that more users would like to see changed (either by +1 or thumbs up-ing this issue), we're more than willing to update the default. Or if anyone is dependent on the current behaviour, we'd like to know that as well!

We'd love to hear more feedback from the community! Does changing the default impact you negatively in any way?

piradeepk avatar Aug 04 '20 16:08 piradeepk

Thanks, @pkandasamy91 — the reason I discovered this is that I used terraform to create my role and the default max duration for the terraform resource is 1h so I either have to update the max duration for the role, which feels like a moderate security risk to me, or override the default in EVERY workflow configuration, which is slightly inconvenient.

amancevice avatar Aug 04 '20 17:08 amancevice

I can see how this can make things difficult if users are required to override the configured value, and the benefit of changing the default, but seeing as how this is a heavily used action, we're cautious in making widespread changes to existing behaviour.

We'll definitely have a better idea of which direction to take once we get more community feedback!

piradeepk avatar Aug 04 '20 17:08 piradeepk

Another case where this may be useful is when using an assumed role to assume another role. When role chaining (assuming roles with temporary credentials), you can only request a maximum duration of 1 hour.

@piradeepk @allisaurus I would propose a change with a smaller impact: whenever aws-session-token is provided (meaning temporary credentials/role-chaining is being used), use 1 hour as the default.

This won't be a breaking change because you can never use a session token and request a role for more than 1 hour.

spyoungtech avatar Jun 28 '21 20:06 spyoungtech

I would propose a change with a smaller impact: whenever aws-session-token is provided (meaning temporary credentials/role-chaining is being used), use 1 hour as the default

This is a great idea, I'd be okay with this. Regardless of if this this gets submitted and implemented by anyone in the community, this should change in our next major release to be the hard default.

peterwoodworth avatar Oct 05 '22 01:10 peterwoodworth

Thanks, @peterwoodworth — I tooled up some changes that I think match your specs: #513

amancevice avatar Oct 05 '22 14:10 amancevice

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar May 30 '23 12:05 github-actions[bot]