Open brakf opened 9 months ago
Would love to see this, except the problem we are running into is glue / jupyter sessions (notebooks). Running some of these takes awhile and the devs keep getting timeouts
Hi @dreinhardt89, what language are you using? Instantiating a new AWS client may be useful whenever the current session expires. In this way, the latest instance is going to embed refreshed credentials. Look at this blog post
@ericvilla this would require rewriting (and testing) a bunch of notebooks which isn't really feasible.
Is your feature request related to a problem? Please describe. I have a long running process that requires me to have a longer session duration than the standard 1 hour. The process (Terraform) doesn't pull the refreshed credentials after it was first started. Probably an edge case, but maybe worth looking into.
I did investigate why Leapp has the current limitation of 1 hour, which is the maximum duration possible using role chaining. Technically it seems that Leapp is first generating a session token with the assumer session and then uses those credentials to assume the role, which leads to the 1 hour limitation.
Describe the solution you'd like Why not use the IAM user credentials to assume the role directly, cutting the first session token which seems unnecessary and hence allowing configurable session durations. (I assume you designed it that way due to the way MFA is enforced, but I am not sure).
Describe alternatives you've considered Not using Leapp in those cases.