-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support longer token duration #31
Comments
CloudGlance sets the value to a maximum of 12 hours and then AWS reduces this depending on the maximum session duration of the role and then role chaining.
|
Yes, I confirm that the Maximum session duration settings of the role I assume is set to 12 hours in AWS console on IAM role summary.
I use a source profile with Access Key and Secret, with which I assume the target role which is located in another AWS account. This shouldn't be about role chaining, right? The same role assumed directly by the AWS console have a session of 12 hours. |
Okay, it's not you it's me. Thankfully I wrote this blog as a means of documentation https://blog.cloudglance.dev/how-does-cloudglance-do-aws-auth/index.html#aws-iam-role in the IAM Role section (see snippet I copied from it below) The script will always first do GetSessionToken (MFA is attached here) then it will assume the role. This counts as role chaining and then limits the length to 1 hour. The TLDR; is that when you assume a role and pass the MFA details on that operation then IAM conditions like I can see that I left a note in the code saying that I would rather play it safe and do it "properly" to cover all bases, so always first GetSessionToken (with MFA if provided) and then AssumeRole. I can see two improvements:
Do you know if your IAM policies check the MFA flag? If It does then there is no way to get around this, the new option mentioned above will help others though. Let me know what you think? Blog SnippetHere the AWS CLI does prompt for your MFA code if it detects the
Example policy that only allows you to list buckets only if you have the {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": ["*"],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}]
} It turns out that when the CLI assumes the role, it does not/can not place This is also made clear if your really deep dive into IAM and is listed on the AWS documentation:
This is why we rather play it safe and make the assumption that if you are requiring MFA, you have The next we need to talk about is the duration of the token. When you just assume the role, the maximum duration can be We can read about role chaining in the AWS docs here
This is the error that you will get if you specify a duration longer than 1 hour even though the role has a longer maximum duration:
This is why the scrips below leave the Duration field as default so that your token will be valid for 1 hour. Updated the broken link to the blog to be correct https://blog.cloudglance.dev/how-does-cloudglance-do-aws-auth/index.html#aws-iam-role |
FYI - I had to document it for a Security review to get a waiver on "must enforce MFA" Security Hub checks. |
FYI I Updated the broken link to the blog to be correct https://blog.cloudglance.dev/how-does-cloudglance-do-aws-auth/index.html#aws-iam-role / Yeah, I also found that one out the hard wy through experimentation. From all of this I concluded that:
Or just ban IAM users altogether. But before AWS SSO, having MFA conditions on IAM policies was the thing to do (as far as I know) and I didn't want users coming back to me saying that they logged in with MFA but were still denied. Hence I played it safe by first doing GetSessionToken then AssumeRole as was needed in the old days. I think making that change will be better for the majority of people, and those that want/need the MFA flag present after assuming the role can just check that box. |
Thanks rehanvdm for the valuable clarification on how IAM roles work with aws:MultiFactorAuthPresent. I really enjoyed the blog. Regarding the proposed solution, it seems like an excellent idea to provide the user with the possibility to choose via the extra checkbox. I currently have no conditions where the MultiFactorAuthPresent check is present, but in the future it may be an option, so the ability to use Cloudglance by activating the checkbox is fine! |
Added in the new release v0.0.31 > https://github.com/Systanics/CloudGlance/releases/tag/v0.0.131. Description copied from there: 💫 Enhancements
|
Is your feature request related to a problem? Please describe.
Currently the tokens generated from IAM role have a fixed expiration of 1 hour. There is no way to set a longer duration.
Describe the solution you'd like
Enter a setting to specify the desired duration (maximum 12 hours as required by AWS).
Describe alternatives you've considered
Alternatively you can support the duration_seconds parameter which you can insert into your AWS profile configurations.
Additional context
![image](https://private-user-images.githubusercontent.com/72573019/319238980-85dc46d9-52ef-4c0e-b8be-dc896982bf31.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjI1MzI0NjgsIm5iZiI6MTcyMjUzMjE2OCwicGF0aCI6Ii83MjU3MzAxOS8zMTkyMzg5ODAtODVkYzQ2ZDktNTJlZi00YzBlLWI4YmUtZGM4OTY5ODJiZjMxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MDElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODAxVDE3MDkyOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTEzZWJiNWE2ODVjZDVkYmFmYjgyYjQ0ZGYyNGVjZjc1NjE5NmIzMDg0YjQ4ZDIxNzY5ZDliZmQ5NzJhM2RlMDYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.r16foWADfaS1uq370MRKhmzWf-2ojtAPk05eg2TI44k)
The text was updated successfully, but these errors were encountered: