prolane / samltoawsstskeys

Google Chrome Extension which converts a SAML 2.0 assertion to AWS STS Keys.
MIT License
139 stars 91 forks source link

Issue with the optional setting [OPTIONAL] Apply the SessionDuration requested by the SAML provider #64

Closed andysimant closed 1 year ago

andysimant commented 1 year ago

When the [OPTIONAL] setting (Apply the SessionDuration requested by the SAML provider) is set to YES, I was unable to get the credential file. Since this is an optional setting, it shouldn't block the user from downloading the credential file. Kindly fix this.

Debug LOG: INFO: AWSAssumeRoleWithSAMLCommand client.send will now be executed script.js:292 ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role. at Te (aws-js-sdk-bundle.js:2:57065) at aws-js-sdk-bundle.js:2:70787 at async aws-js-sdk-bundle.js:2:38494 at async On.retry (aws-js-sdk-bundle.js:2:89037) at async aws-js-sdk-bundle.js:2:116397 at async assumeRoleWithSAML (script.js:278:22) at async onBeforeRequestEvent (script.js:197:12) script.js:203 ERROR: Error when trying to assume the IAM Role with the SAML Assertion. script.js:204 TypeError: Cannot read properties of undefined (reading 'access_key_id') at onBeforeRequestEvent (script.js:199:72) "TypeError: Cannot read properties of undefined (reading 'access_key_id')\n at onBeforeRequestEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/background/script.js:199:72)"

prolane commented 1 year ago

I guess the label [OPTIONAL] in the options panel could be misleading, since you are required to either choose yes or no. You can't leave it blank. I will remove the [OPTIONAL] label.

Regarding the error: What you are experiencing here is actually a configuration error at the end of your identity provider (IDP). In the SAML Assertion, your IDP sends along a requested session duration. This requested duration is higher than the maximum allowed duration, configured on the AWS IAM Role. The two of them do not match, so either of them need to be reconfigured to match the other.

The default session duration on AWS side is 3600 (1h). This is what you will get when you set the Apply the SessionDuration requested by the SAML provider setting in the extension's option panel to no. Many AWS Cloud administrators find this 1 hour session duration quite frustrating, therefore they extend the max session duration on the IAM Role. For this reason, yes is the default value for this option, and will remain the default value.

prolane commented 1 year ago

With release 3.3 the OPTIONAL label has been removed.

https://github.com/prolane/samltoawsstskeys/commit/6283f58e54fa81086f9369c8ca0878e409379d07#diff-cfe614044d3abb280d27ac2d618f154c41f38f684e455dcf12693a63cf2a2194L28