prowler icon indicating copy to clipboard operation
prowler copied to clipboard
verified publisher icon prowler-cloud

session-duration option no longer supported

Open vfeinman opened this issue 7 months ago • 3 comments

Steps to Reproduce

Running a single account scan. Prowler in AWS. Ran the command: prowler aws --ignore-exit-code-3 --session-duration 18000 --log-level ERROR --role arn:aws:iam::000000000000:role/service-role/ProwlerMemberRole

Expected behavior

I expected the assumed role session duration to be 18,000 seconds

Actual Result with Screenshots or Logs

2025-05-12 16:07:33,611 [File: aws_provider.py:1077] [Module: aws_provider] CRITICAL: ClientError[1060] -- An error occurred (ValidationError) when calling the AssumeRole operation: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.

2025-05-12 16:07:33,612 [File: provider.py:243] [Module: provider] CRITICAL: AWSAssumeRoleError[163]: AWSAssumeRoleError[1012]: AWS assume role error - An error occurred (ValidationError) when calling the AssumeRole operation: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining. _ _ __ _ __ _____ | | ___ _ __ | ' | '/ _ \ \ /\ / / |/ _ \ '| | |) | | | () \ V V /| | / | | ./|| ___/ _/_/ ||___||v5.6.0 || the handy multi-cloud security tool

Date: 2025-05-12 16:07:30

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

CodeBuild - 8 vCPUs, 16 GiB memory

OS used

Amazon Linux

Prowler version

v5.6.0

Pip version

24.3.1

Context

No response

vfeinman avatar May 12 '25 16:05 vfeinman

Hi there @vfeinman!

The error you're encountering is due to an AWS limitation. When one role assumes another role, AWS automatically limits the session duration to a maximum of 1 hour (3600 seconds).

Here you have information about the session duration and a note with your problem at the bottom of the page.

Also, here and here you have more information related with AWS about how to change the default maximum session duration.

If you run into any other issues, don’t hesitate to reach out again. Thanks for using Prowler and for trusting us to help solve your problems! 🚀

danibarranqueroo avatar May 13 '25 07:05 danibarranqueroo

I thought this might have been due to a change in how credentials are provided in Prowler. I didn't mention that I'm deploying this using aws-security-assessment-solution. The CodeBuild environment must be assuming ProwlerCodeBuildRole, which is why there is this role chaining issues when specifying the "--role arn:aws:iam::000000000000:role/service-role/ProwlerMemberRole" option.

vfeinman avatar May 13 '25 21:05 vfeinman

Thanks for the clarification, that makes perfect sense now.

In your setup, the role chain looks something like this:

User role → assumes → CloudFormation execution role → assumes → ProwlerMemberRole

Since this involves role chaining, AWS enforces the 1-hour session duration limit, which explains the DurationSeconds exceeds the 1 hour session limit error you're seeing.

You can see this here: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#:~:text=Role%20chaining%20limits%20your%20AWS%20CLI%20or%20AWS%20API%20role%20session%20to%20a%20maximum%20of%20one%20hour

Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour.

danibarranqueroo avatar May 15 '25 08:05 danibarranqueroo

Since we haven’t received any further updates, I’m going to go ahead and close this issue for now. If you run into any other problems or have more questions in the future, feel free to reopen it or open a new one.

Thanks again for using Prowler! 🚀

danibarranqueroo avatar Jul 16 '25 12:07 danibarranqueroo