Merge pull request #6 from gene1wood/add_max_session_duration

Add max session duration of 12 hours

CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0] - 2019-11-26
+### Added
+* Default max session duration of 12 hours
+
+## [0.0.7] - 2019-11-26
+### Added
+* Support for setting a managed policy #3
+
+## [0.0.6] - 2019-09-12
+### Changed
+* Change federated principal to accept an AWS account ID #2
+
+[Unreleased]: https://github.com/mozilla-iam/mozfederatedpolicybuilder/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/mozilla-iam/mozfederatedpolicybuilder/compare/v0.0.7...v0.1.0
+[0.0.7]: https://github.com/mozilla-iam/mozfederatedpolicybuilder/compare/v0.0.6...v0.0.7
+[0.0.6]: https://github.com/mozilla-iam/mozfederatedpolicybuilder/releases/tag/v0.0.6

mozfederatedpolicybuilder/__init__.py

@@ -116,6 +116,7 @@ def create_cloudformation_template(
         raise Exception(
             'MissingPolicy', 'create_cloudformation_template requires either'
             'policy_arn or (policy_name and policy)')
+    properties['MaxSessionDuration'] = 43200
     template['Resources'][resource_name]['Properties'] = properties
     # No description field because of
     # https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/6
@@ -132,7 +133,8 @@ def create_awscli_command(
     create_role = r"""aws iam create-role \
     --role-name {role_name} \
     --assume-role-policy-document '{assume_role_policy_document}' \
-    --description "Federated Role {role_name}"
+    --description "Federated Role {role_name}" \
+    --max-session-duration 43200
 
 sleep 2
 

setup.py

@@ -6,7 +6,7 @@
 
 setuptools.setup(
     name="mozfederatedpolicybuilder",
-    version="0.0.7",
+    version="0.1.0",
     author="Gene Wood",
     author_email='gene_wood@cementhorizon.com',
     description="Tool to create an AWS IAM Role with a federated policy "

tests/awscli.txt

@@ -1,7 +1,8 @@
 aws iam create-role \
     --role-name baz \
     --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/auth.mozilla.auth0.com/"}, "Action": "sts:AssumeRoleWithWebIdentity", "Effect": "Allow", "Condition": {"StringEquals": {"auth.mozilla.auth0.com/:aud": "N7lULzWtfVUDGymwDs0yDEq6ZcwmFazj"}, "ForAnyValue:StringEquals": {"auth.mozilla.auth0.com/:amr": ["foo", "bar"]}}}]}' \
-    --description "Federated Role baz"
+    --description "Federated Role baz" \
+    --max-session-duration 43200
 
 sleep 2
 

tests/awscli_with_managed_policy.txt

@@ -1,7 +1,8 @@
 aws iam create-role \
     --role-name baz \
     --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/auth.mozilla.auth0.com/"}, "Action": "sts:AssumeRoleWithWebIdentity", "Effect": "Allow", "Condition": {"StringEquals": {"auth.mozilla.auth0.com/:aud": "N7lULzWtfVUDGymwDs0yDEq6ZcwmFazj"}, "ForAnyValue:StringEquals": {"auth.mozilla.auth0.com/:amr": ["foo", "bar"]}}}]}' \
-    --description "Federated Role baz"
+    --description "Federated Role baz" \
+    --max-session-duration 43200
 
 sleep 2
 

tests/cloudformation.json

@@ -46,7 +46,8 @@
                             ]
                         }
                     }
-                ]
+                ],
+                "MaxSessionDuration": 43200
             }
         }
     }

tests/cloudformation.yaml

@@ -35,3 +35,4 @@ Resources:
             - sts:GetCallerIdentity
             Resource: '*'
             Effect: Allow
+      MaxSessionDuration: 43200

tests/cloudformation_with_managed_policy.yaml

@@ -28,3 +28,4 @@ Resources:
               - bar
       ManagedPolicyArns:
       - arn:aws:iam::aws:policy/ReadOnlyAccess
+      MaxSessionDuration: 43200