-
Notifications
You must be signed in to change notification settings - Fork 807
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use iam credentials for login, allowing session expiry of 12h #92
Conversation
Fixes #77. |
👍 lgtm |
I don't have MFA for my test accounts, so would appreciate some testing with that. |
For posterity, this was my monologue last night:
|
DurationVar(&input.FederationTokenDuration) | ||
|
||
cmd.Flag("assume-role-ttl", "Expiration time for aws assumed role"). | ||
Default("15m"). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may have been discussed previously - the aws cli defaults to 1 hour, should we match it?
The temporary security credentials are valid for the duration that you specified when calling assume-role , which can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
- http://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think that probably makes sense.
I've tested with MFA and also |
Nice. |
Seems to work for me.
|
Ship it at your leisure then. |
Based on feedback in this aws forum thread, it became obvious that the new longer federated session expiry could be used if IAM credentials were used to assume the role, vs our standard iam -> session token -> assume role -> federation tokens.
I'm not sure why I never realized that the session token step was unneeded. I suspect it was because it adds complexity to the code, as you need to conditionally apply MFA to the AssumeRole call if there isn't a session with MFA already applied to it.
Regardless, this works, although I've been drinking a lot of wine, so I might be imagining it all.