Feature Request: Support AssumeRoleWithSAML option for fetching credentials (support session_duration)

[bibli-alex]

I have an AWS SSO setup. I can assume and assume -c without an issue, but assume -d 2h doesn't change the duration of the session:

I can't make it any shorter either - assume -d 30m still says 1 hour, and echo $AWS_SESSION_EXPIRATION shows the same.

I've also tried --duration 2h, and I've tried setting the duration_seconds value in the config for the profile.

Finally, I cleared my sso token using granted sso-token clear and re-authed with the -d 2h option, and it still kept it at 1 hour.

[JoshuaWilkes]

Hi @bibli-alex

Thanks for reaching out, you will need to check whether your AWS PermissionSet has a session duration longer than 1 hour configured.

See this from AWS https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

And this example of the get-role-credentials option for AWS SSO https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/get-role-credentials.html#get-role-credentials

AWS doesn't give the option to request a session duration that is different to the default configured for the permission set. The duration configuration only applies to IAM roles assumed using long lived credentials.

If you are role chaining, using one role to assume another, then the session duration is limited to a maximum of 1 hour.

[bibli-alex]

I've used the Leapp tool previously, and they used assumeRoleWithSAML which allows me to set my duration. The maximum duration from my aws iam get-role call for the role I've assumed is 43200 (12 hours).

I suppose it's not possible at this stage if you're not using that API call.

[bibli-alex]

@JoshuaWilkes If it's a reasonable alternative API call to use, we can leave this here as a feature request to swap to that for SAML-based logins, allowing for a wider range of duration setting.

[JoshuaWilkes]

It's possible that we could add a wrapper around https://github.com/Versent/saml2aws You could also try to integrate with the above tool using a credential-process

You may also be able to use the above tool and then use:

granted console

granted console will launch an AWS console using existing credentials in your terminal environment.

So if you wan't the console features of Granted you can use them with an external tool.

[ollytheninja]

I note the docs don't make it clear that this option is not supported for SSO logins. I was quite surprised when I didn't get the (shorter) session duration I was expecting. https://docs.commonfate.io/granted/usage/assuming-roles/#overriding-duration