First of all, thanks for making aws-google-auth! It's definitely introduced a new layer of security, as we're now able to deprecate all IAM roles for CLI access, our likely weakest link in the security chain.
We have one problem we can't seem to get beyond - even though the IAM Role we're accessing is configured to allow an 8-hour session duration, we can't seem to get aws-google-auth to work beyond 1 hour:
Error message:
$ aws-google-auth -p default -u <redacted>@<redacted>.<redacted> -I <redacted> -S <redacted> -R us-east-1 -d 3601 -r arn:aws:iam::<redacted>:role/<redacted> -k --resolve-aliases --save-failure-html --log warn
No AWS account Role
---- ------------- ----------
1 <redacted> <redacted>
Type the number (1 - 1) of the role to assume: 1
Assuming arn:aws:iam::<redacted>:role/<redacted>
ERROR:root:An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
Traceback (most recent call last):
File "/Users/gerry/Development/aws-google-auth/aws_google_auth/__init__.py", line 78, in cli
process_auth(args, config)
File "/Users/gerry/Development/aws-google-auth/aws_google_auth/__init__.py", line 278, in process_auth
print("Credentials Expiration: " + format(amazon_client.expiration.astimezone(get_localzone())))
File "/Users/gerry/Development/aws-google-auth/aws_google_auth/amazon.py", line 64, in expiration
return self.token['Credentials']['Expiration']
File "/Users/gerry/Development/aws-google-auth/aws_google_auth/amazon.py", line 44, in token
self.__token = self.assume_role(self.config.role_arn,
File "/Users/gerry/Development/aws-google-auth/aws_google_auth/amazon.py", line 117, in assume_role
res = self.sts_client.assume_role_with_saml(**sts_call_vars)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 676, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the AssumeRoleWithSAML operation: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
Are we configuring this wrong, or is there a potential bug? We'd love to get the configured 8-hour session expiration working. Thanks in advance for any help you can provide.
Hello,
First of all, thanks for making
aws-google-auth
! It's definitely introduced a new layer of security, as we're now able to deprecate all IAM roles for CLI access, our likely weakest link in the security chain.We have one problem we can't seem to get beyond - even though the IAM Role we're accessing is configured to allow an 8-hour session duration, we can't seem to get
aws-google-auth
to work beyond 1 hour:Error message:
Are we configuring this wrong, or is there a potential bug? We'd love to get the configured 8-hour session expiration working. Thanks in advance for any help you can provide.
Cheers,