STS duration seconds ENVIRONMENT Variable

[jimsmith]

Describe the feature

An ENVIRONMENT variable to set the STS duration seconds, such as:

• AWS_ROLE_SESSION_DURATION_SECONDS

Use Case

Imagine engineers wanting to use ENVIRONMENT variables for STS Assume Role/Assume Role with Web Identity and we want to override the default duration (seconds), there's already environment variables for:

• AWS_ROLE_ARN
• AWS_ROLE_SESSION_NAME
• AWS_WEB_IDENTITY_TOKEN_FILE

In a CI/CD Pipeline (GitLab OIDC AWS Authentication), to reduce the amount of code, keeping the codebase simple and slim no need to call aws CLI sts commands but rather use environment variables - from a platform engineering/operational perspective easier to support and maintain.

• https://awscli.amazonaws.com/v2/documentation/api/latest/topic/config-vars.html#:~:text=be%20automatically%20generated.-,duration_seconds,-%2D%20The%20duration%2C%20in
• https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html#:~:text=for%20the%20role.-,This%20setting%20can%20have%20a%20value%20from%201%20hour%20to%2012%20hours,-.%20To%20learn%20how

.... however there is no environment variable to set duration-seconds, nothing shows up in this repository seemingly to suggest it's supported.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

CLI version used

Pulling docker image amazon/aws-cli:latest ...

Environment details (OS name and version, etc.)

Mac OS Python/3.10.6 Darwin/22.1.0 source/x86_64

[tim-finnigan]

Hi @jimsmith thanks for the feature request. Since environment variables affect other AWS SDKs in addition to the CLI, I'm going to transfer this issue to our cross-SDK repository for tracking. I'll also link a related feature request here from the Java repository: https://github.com/aws/aws-sdk-java/issues/2756. I believe the requests in these two issues is similar but if you want to confirm that or clarify any distinctions please let us know.

[razvanphp]

We also need this.

BTW, is the default 1 hour?

By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours.

saw it here: https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html

Also, can we extend the scope of this issue to include the possibility to have the token itself in an environment variable instead of a file? It could be called AWS_WEB_IDENTITY_TOKEN.

The reason is that for example gitlab CI provides the token in an env variable of choice, but there is an extra step to create a file and pipe it there for the aws-cli compatibility.

The somebody would only do:

aws_job:
  id_tokens:
    AWS_WEB_IDENTITY_TOKEN:
      aud: https://gitlab.com
  variables:
    AWS_ROLE_ARN: arn:aws:iam::0000000000:role/ServiceRole
    AWS_ROLE_SESSION_NAME: GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}-${CI_JOB_ID}
    AWS_ROLE_SESSION_DURATION_SECONDS: 3600
  before_script:
    - aws sts get-caller-identity