Feature: Background task that refreshes session periodically

[thnee]

Problem

In our organization, we have a hard requirement from regulation that basically says "idle login sessions must be automatically timed out after 15 minutes".

Although this can be annoying, it is still functional as long as a login session is active in nature, for example an SSH session keeps being active as long as you are using it.

However, since onelogin-aws-cli is passive in nature, this does turn into a very real problem. If some automation tool is running a long process for more than 15 minutes, the session will time out while the tool is running, breaking the workflow, which may not be recoverable. For example, building AMI's with Packer can definitely take quite some time.

--renew-seconds

I see that onelogin-aws-cli used to have a flag called --renew-seconds. However, as far as I can tell from the code, that feature had the drawback of running in the foreground and occupying the terminal.

Fork off and die

I think a better way to implement session refreshing would be to fork off a background process and let the onelogin-aws-login program finish and release control of the terminal back to the user as it currently does.

However, this might be a somewhat substantial feature to implement and support, so I would really appreciate some input on it before proceeding.

I imagine at least one configuration option called something like session_refresh_frequency that says how often to refresh the session.

AWS CLI Plugin API

Alternatively, I thought about building a plugin for AWS CLI that somehow detects that the session has timed out, and calls back to onelogin-aws-cli to reauthenticate.

However, the plugin API for AWS CLI is not official at all yet. Also, I imagine that the plugin API might not allow me to hook into and control the execution of any other arbitrary command.

So as far as I can see, an AWS CLI plugin is not looking like a realistic option at this point.

[slycoder]

So there was a previous discussion on daemonization which might address what you're looking for vis a vis the second option.

However the problem with both the daemon and renew-seconds was that in the end you'd have to reauth; I'm not sure if that would be a prohibitive barrier in your case.

Policy-wise, how would one define an "idle" here? I may be mistaken but the IAM policies don't have login lifetimes based on idleness.

[drewsonne]

*thousand yard stare into the distance...

https://github.com/physera/onelogin-aws-cli/pull/66 https://github.com/physera/onelogin-aws-cli/issues/36

[drewsonne]

I am curious about the AWS plugin bit. I guess:

somehow detects that the session has timed out

could be handled by just handling authentication failure errors. I'm not sure if the AWS cli has events that consistent, but if there are event emitters on response or something, it could be checked by the plugin.

Due to lack of official support, this probably should not be in this repo, but I think this could be done as a separate package (awscli-onelogin-credentials-handler or whatever)

It looks like although not documented, the plugins api in the awscli is quite mature. Actually, I think it could be doable:

The branch flow to get to the event I think you'd need (modify the session)

• https://github.com/aws/aws-cli/blob/4851c13b4e54ebc5aee5e02df2f3c4301d879f01/awscli/clidriver.py#L199
• https://github.com/aws/aws-cli/blob/4851c13b4e54ebc5aee5e02df2f3c4301d879f01/awscli/clidriver.py#L251
• https://github.com/aws/aws-cli/blob/4851c13b4e54ebc5aee5e02df2f3c4301d879f01/awscli/utils.py#L151

I think _emit_session_event() is where you'd need to hook in.

And you could hook into boto as well using https://github.com/boto/boto3/issues/619#issuecomment-216980368 but I think that would best be done in a separate project as a OneloginFederationCredentialProvider() or something.

And here’s an example plugin https://github.com/wbingli/awscli-plugin-endpoint

I definitely think it's doable. Nearly all the prompts for the user are wrapped in functions, so you could import the onelogin_aws_cli library into another project.

I think that if you could get the Boto credential handler working, that would be a massive step towards this.

[thnee]

Thank you very much for the input! And sorry for keeping this open for so long.

@slycoder You're right, simply re-authenticating over and over would not be compliant. We must detect whether the session is actually idle or being used.

Agree, it wont be reliable to determine idleness from onelogin-aws-cli.

The only reliable way that I can see would be to make a plugin for aws cli that hooks into all sub commands and registers that something has been executed. (Possibly keeping track of which account/role is being used). Unfortunately I have not been able to find a way to do that while browsing the aws cli source code.

@drewsonne Thank you very much for the pointers, but I don't think that _emit_session_event() is enough. The big issue is that I would need to hook into all sub commands to know if anything has been called or not.