awscli-login icon indicating copy to clipboard operation
awscli-login copied to clipboard

Published 20 hours ago verified publisher icon techservicesillinois

Session lifetime hints

Open JonRoma opened this issue 3 years ago • 3 comments

@ddriddle, one thing that has come up when running AWS commands that take a long time. Doing a terragrunt-diffof our whole as-aws-test tree takes about 25-30 minutes. The question always is "Will my AWS session end soon, resulting in the long session dying?"

Perhaps this would be addressed by #69, allowing one to kill and refresh one's session (I manually nuke the cookies). But it also occurred to me that it woudl be nice to have an idea how long the session cookie will remain valid. The auto-refresh when it works may obfuscate this issue. Further, the awscli-login plugin may not be the right place to make this query, and it might not even be capable of making this query.

But as long as it's on my mind, I figured it wouldn't hurt to ask.

JonRoma avatar Jul 07 '21 16:07 JonRoma

awscli-login does know when the credential will expire. If it did not then I could not have implemented auto-refresh. AWS sends back an Expiration timestamp as can be seen in the last line of this function in util.py:

def save_credentials(session: Session, token: Dict) -> datetime:
    """ Takes an Amazon token and stores it in ~/.aws/credentials """

    ConfigureSetCommand._WRITE_TO_CREDS_FILE.append("aws_security_token")

    creds = token['Credentials']
    profile = session.profile if session.profile else 'default'

    _aws_set(session, 'aws_access_key_id', creds['AccessKeyId'])
    _aws_set(session, 'aws_secret_access_key', creds['SecretAccessKey'])
    _aws_set(session, 'aws_session_token',  creds['SessionToken'])
    _aws_set(session, 'aws_security_token',  creds['SessionToken'])
    logger.info("Saved temporary STS credentials to profile: " + profile)

    return parse_timestamp(creds['Expiration'])

If you want to add a flag to the code that prints out the expiration time to the user I would be happy to accept a pull-request.

ddriddle avatar Jul 07 '21 23:07 ddriddle

@ddriddle, interesting. But you're referring to the expiration of the current 60-minute temporary credentials, right? I was more interested in the time that Shibboleth will refuse to renew it – and I bet you don't have access to that.

JonRoma avatar Jul 08 '21 01:07 JonRoma

@JonRoma Yes, I was talking about the temporary AWS STS credentials. The cookies themselves have an expiration that is stored in plaintext in the cookie jar ~/.aws-login/cookies/your_netid.txt , but looking at it, the cookie does not expire for a week. Note the cookie below was generated today, 2021-07-08:

Set-Cookie3: AWSALB="_LONG_SECRET_STUFF_"; path="/"; domain="shibboleth.illinois.edu"; path_spec; expires="2021-07-15 13:57:07Z"; version=0

I also tried running aws login --verbose --verbose --verbose which dumps all the SAML and other traffic sent between the IdP and the client over http, but it yielded no expiration date other than when the current session expires.

@kwessel told me a few years ago that the IdP cookie lasts eight hours if I remember correctly. That may have changed. @kwessel is that correct? Also does the IdP return any information about when the cookie expires or is that completely server side?

ddriddle avatar Jul 08 '21 14:07 ddriddle

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Mar 27 '24 13:03 github-actions[bot]