CLI does not respect the IAM Identity Center session duration #8305
Comments
et304383
added
bug
|
Hi @et304383 thanks for reaching out and sorry to hear about this frustrating experience. Are your SSO tokens not automatically refreshing? Here is the documentation on configuring automatic token refresh: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html |
tim-finnigan
added
response-requested
|
@tim-finnigan this isn't an issue with permission sets. Please, as was done in the previous items, do not confuse permission set duration with SSO session duration. I am referring to the time between having to run
It appears this value is 8 hours and cannot be configured anywhere. |
github-actions
bot
removed
the
response-requested
|
Hi @et304383 thanks for following up. From what I observed, the file generated in
|
tim-finnigan
added
the
response-requested
|
@tim-finnigan you, like everyone, are confusing what people are asking about here. I know how the auto refresh works. I'm not talking about that. I'm talking about the session itself. The "as long as the session is still valid" part is what I'm referring to. It ignores the setting in the console and is always 8 hours. |
github-actions
bot
removed
the
response-requested
|
Apologies for any misunderstanding. I'm using 2.13.36 and just tested a 24 hour session duration: 
My token refreshed successfully and the overall session did last longer than 8 hours. The cache entry is formed from the service response...it's possible that there is an issue with the sso-oidc API or CLI logic, but I can't reproduce the issue as you've described. If you have a support plan I recommend reaching out through AWS Support, otherwise we can continue looking into this here. |
tim-finnigan
added
the
response-requested
|
@tim-finnigan thanks for finally understanding! I have an ongoing support ticket as well but they are going in circles with me. No one seems to be able to give me a definitive answer. Are you suggesting that your sso cache entry has an expires at that is 24 hours in the future? Because I am not seeing that. |
github-actions
bot
removed
the
response-requested
|
Hi @et304383 no as mentioned here my 
You can set that value when running aws configure sso. |
tim-finnigan
added
the
response-requested
|
@tim-finnigan I am sorry to bother you but the issue was with yawsso. It was throwing an error on this expiresAt value, which is incorrect. |
|
Describe the bug
When I login using
aws sso loginThe session duration is always set to 8 hours.
Expected Behavior
I expect the session duration to be equal to the value configured in IAM identity center.
Current Behavior
Session duration is 8 hours, ignoring the IIC value.
Reproduction Steps
Configure a session duration in IIC as 7 days. Run aws sso login
Observe that the expiresAt value in ~/.aws/sso/cache/json is 8 hours from now.
Possible Solution
No response
Additional Information/Context
I don't want to hear about how this is a duplicate of existing tickets like #7104 , etc. Every commentor on these keeps confusing permission set duration with session duration. I don't care about the permission set duration. I care about the session duration, which means users have to reauth their session every single day, and sometimes more than once a day if working more than 8 hours. That is a terrible experience. None of these tickets have been properly addressed.
This is not documented behaviour anywhere, and the docs here suggest the CLI should honour the session duration configured in IIC:
https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html#user-session-duration-prereqs-considerations
Come on AWS, fix this.
CLI version used
aws-cli/2.13.30 Python/3.11.6 Darwin/22.6.0 source/arm64 prompt/off
Environment details (OS name and version, etc.)
MacOS
The text was updated successfully, but these errors were encountered: