search

common-fate / granted

The easiest way to access your cloud.
https://granted.dev
MIT License
1.15k stars 103 forks source link

should chained roles inherit duration? #154

Closed orenmazor closed 2 years ago

orenmazor commented 2 years ago

hey all,

assuming a config as follows:

[profile foo]
mfa_serial=arn:aws:iam::x:mfa/oren.mazor
credential_process=op_credentials_process.bash my.1password.com aws-users
duration_seconds=43200

[profile bar]
source_profile=foo
role_arn=arn:aws:iam::yy:role/sudo
mfa_serial=arn:aws:iam::x:mfa/oren.mazor

if I do assume bar, I would expect that bar might be inheriting the settings of foo, but this is not the case. that makes sense for a ton of reasons.

however, if I DO set explicit duration seconds on bar:

[profile bar]
source_profile=foo
role_arn=arn:aws:iam::yy:role/sudo
mfa_serial=arn:aws:iam::x:mfa/oren.mazor
duration_seconds=43200

I still only get the default one hour setting. is this intentional, or just something I can PR some functionality towards?

TryTryAgain commented 2 years ago

That would be great but that would need to be interpreted and implemented as part of some refresh mechanism I believe. Role chain switching itself cannot go beyond 1 hour: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html "Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour."

orenmazor commented 2 years ago

thats what I thought as well, but somehow aws-vault does it. do they just refresh regularly?

edit:

oooh TIL: https://github.com/99designs/aws-vault/blob/master/USAGE.md#session-duration

JoshuaWilkes commented 2 years ago

Closing this issue as stated there is a 1 hour limit to role chaining sessions.