search

aws-azure-login / aws-azure-login

Use Azure AD SSO to log into the AWS via CLI.
MIT License
601 stars 271 forks source link

MaxSessionDuration #93

Open NeQuissimus opened 5 years ago

NeQuissimus commented 5 years ago

Looking at https://github.com/sportradar/aws-azure-login/blob/14be5785e4a3bb4562e8470299d177dc386f3333/lib/login.js#L566 the script assumes that the maximum session time is 12 hours. Furthermore, the actual valid maximum differs per role. Otherwise errors such as the following can be encountered (this role I used has a max of 4 hours):

Click to expand 

[...]
? Session Duration Hours (up to 12): 12
Assuming role arn:aws:iam::XXX:role/XXX
{ ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
    at Request.extractError (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request. (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:38:9)
    at Request. (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
    at Request.emit (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request. (/usr/local/lib/node_modules/aws-azure-login/node_modules/aws-sdk/lib/request.js:38:9)
  message: 'The requested DurationSeconds exceeds the MaxSessionDuration set for this role.',
  code: 'ValidationError',
  time: 2019-10-25T15:20:41.560Z,
  requestId: 'XXX',
  statusCode: 400,
  retryable: false,
  retryDelay: 45.32299031707168 }

It should be possible to query for the role's actual max session length and display it to the user.

NeQuissimus commented 5 years ago

So, I've been looking at this.

It would appear that this information is only available via IAM. (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)

However, one would have to assume the role (with a minimum session duration) and fetch the IAM information (if allowed) to find out.

If we think that briefly assuming the role to retrieve the information is OK and then re-assuming it with the user's duration, I can give this a shot

dxciberaws commented 4 years ago

IMHO this cannot be implemented. To know the role maximum duration setting you need IAM credentials with the iam:GetRole action. That involves in itself ahving obtained IAM access, wich makes no sense to do while in the process of configuring access itself. The price of your suggested approach just to show the real limit of a particular role is not worth it in my oppinion.