Proposal: Reduce role duration default from 6 hours to 1 hour #103
Comments
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
|
@amancevice thanks for reporting this issue. This has been raised in the past, but we had decided at the time to maintain the 6 hour default as this could potentially be a breaking change (if users depended on that behaviour). That being said, if this is a use case that more users would like to see changed (either by +1 or thumbs up-ing this issue), we're more than willing to update the default. Or if anyone is dependent on the current behaviour, we'd like to know that as well! We'd love to hear more feedback from the community! Does changing the default impact you negatively in any way? |
|
Thanks, @pkandasamy91 — the reason I discovered this is that I used terraform to create my role and the default max duration for the terraform resource is 1h so I either have to update the max duration for the role, which feels like a moderate security risk to me, or override the default in EVERY workflow configuration, which is slightly inconvenient. |
piradeepk
changed the title
|
I can see how this can make things difficult if users are required to override the configured value, and the benefit of changing the default, but seeing as how this is a heavily used action, we're cautious in making widespread changes to existing behaviour. We'll definitely have a better idea of which direction to take once we get more community feedback! |
|
Another case where this may be useful is when using an assumed role to assume another role. When role chaining (assuming roles with temporary credentials), you can only request a maximum duration of 1 hour. @piradeepk @allisaurus I would propose a change with a smaller impact: whenever This won't be a breaking change because you can never use a session token and request a role for more than 1 hour. |
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
peterwoodworth
added
needs-triage
This is a great idea, I'd be okay with this. Regardless of if this this gets submitted and implemented by anyone in the community, this should change in our next major release to be the hard default. |
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
use 1h instead of 6h to match AWS CLI default (as well as default `max_session_duration` for terraform `aws_iam_role` resource)
use 1h instead of 6h when session token is provided otherwise use GitHub Actions max duration (6h)
|
Thanks, @peterwoodworth — I tooled up some changes that I think match your specs: #513 |
|
Comments on closed issues are hard for our team to see. |
The action default for
role-duration-secondsis 6 hours but the CLI default is 1 hour. I think these defaults should be consistent.The text was updated successfully, but these errors were encountered: