search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 181 forks source link

Duration doesn't work past 3600 no matter how I configure the IAM role #209

Closed gerrymiller closed 3 years ago

gerrymiller commented 3 years ago

Hello,

First of all, thanks for making aws-google-auth! It's definitely introduced a new layer of security, as we're now able to deprecate all IAM roles for CLI access, our likely weakest link in the security chain.

We have one problem we can't seem to get beyond - even though the IAM Role we're accessing is configured to allow an 8-hour session duration, we can't seem to get aws-google-auth to work beyond 1 hour:

Screen capture of IAM Role configuration

Error message:

$ aws-google-auth -p default -u <redacted>@<redacted>.<redacted> -I <redacted> -S <redacted> -R us-east-1 -d 3601 -r arn:aws:iam::<redacted>:role/<redacted> -k --resolve-aliases --save-failure-html --log warn
  No  AWS account    Role
----  -------------  ----------
   1  <redacted>    <redacted>
Type the number (1 - 1) of the role to assume: 1
Assuming arn:aws:iam::<redacted>:role/<redacted>
ERROR:root:An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
Traceback (most recent call last):
  File "/Users/gerry/Development/aws-google-auth/aws_google_auth/__init__.py", line 78, in cli
    process_auth(args, config)
  File "/Users/gerry/Development/aws-google-auth/aws_google_auth/__init__.py", line 278, in process_auth
    print("Credentials Expiration: " + format(amazon_client.expiration.astimezone(get_localzone())))
  File "/Users/gerry/Development/aws-google-auth/aws_google_auth/amazon.py", line 64, in expiration
    return self.token['Credentials']['Expiration']
  File "/Users/gerry/Development/aws-google-auth/aws_google_auth/amazon.py", line 44, in token
    self.__token = self.assume_role(self.config.role_arn,
  File "/Users/gerry/Development/aws-google-auth/aws_google_auth/amazon.py", line 117, in assume_role
    res = self.sts_client.assume_role_with_saml(**sts_call_vars)
  File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 676, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.

Are we configuring this wrong, or is there a potential bug? We'd love to get the configured 8-hour session expiration working. Thanks in advance for any help you can provide.

Cheers,

gerrymiller commented 3 years ago

We figured this out. We had correctly set the Session Duration for the IAM cross-account Role, but not for the SAML authentication Role. All set now!