Parameter 'iam-role-session-ttl' is duplicating the value.

[azambrano]

I would like to know what is the purpose of multiply the seconds. I found this while i was trying to generate a pre-signed URL on s3. so I had to increase the duration of the IAM session. but when I used the parameter --iam-role-session-ttl and passed '43200s' AWS received 86400. this is a bug? https://github.com/jtblin/kube2iam/blob/17c0088a3c86d077b50d289f35982141fb28f244/iam/iam.go#L153

[gmlexx]

@azambrano https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam Check "Update" section.

[itmecho]

I just hit this by accident. We have roles with a MaxSessionDuration of 3600s. I used the flag to set the value to 3600s to match and was surprised to see I was getting the following error:

time="2020-01-16T15:07:12Z" level=error msg="Error assuming role ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.\n\tstatus code: 400, request id: someid" ns.name=somenamespace pod.iam.role="arn:aws:iam::000000000000:role/somerole" req.method=GET req.path=/latest/meta-data/iam/security-credentials/somerole req.remote=1.2.3.4

It would be great if the reason for this * 2 could be documented with that flag as when I am setting the value, there's nothing to tell me that the code is actually going to double it! This behavior means that to achieve what I actually want, I have to halve the value I want it to be.

[prcastro]

For me it would be more clear if the --iam-role-session-ttl was relative to the session TTL, not the cache TTL.

[tavin]

I don't get it. Is this a bug or a feature?

[nrmitchi]

I can't think of any reason that this would be a feature, instead of a bug. It is a gross violation of the "principle of least surprise".

Is there a potential negative impact of "fixing" this issue?