Noovolari / leapp

Leapp is the DevTool to access your cloud
https://www.leapp.cloud/
Mozilla Public License 2.0
1.62k stars 147 forks source link

Add support for configurable session duration for IAM Roles #527

Open brakf opened 9 months ago

brakf commented 9 months ago

Is your feature request related to a problem? Please describe. I have a long running process that requires me to have a longer session duration than the standard 1 hour. The process (Terraform) doesn't pull the refreshed credentials after it was first started. Probably an edge case, but maybe worth looking into.

I did investigate why Leapp has the current limitation of 1 hour, which is the maximum duration possible using role chaining. Technically it seems that Leapp is first generating a session token with the assumer session and then uses those credentials to assume the role, which leads to the 1 hour limitation.

Describe the solution you'd like Why not use the IAM user credentials to assume the role directly, cutting the first session token which seems unnecessary and hence allowing configurable session durations. (I assume you designed it that way due to the way MFA is enforced, but I am not sure).

Describe alternatives you've considered Not using Leapp in those cases.

dreinhardt89 commented 5 months ago

Would love to see this, except the problem we are running into is glue / jupyter sessions (notebooks). Running some of these takes awhile and the devs keep getting timeouts

ericvilla commented 5 months ago

Hi @dreinhardt89, what language are you using? Instantiating a new AWS client may be useful whenever the current session expires. In this way, the latest instance is going to embed refreshed credentials. Look at this blog post

dreinhardt89 commented 4 months ago

@ericvilla this would require rewriting (and testing) a bunch of notebooks which isn't really feasible.