search

ruimarinho / gsts

Obtain and store AWS STS credentials to interact with Amazon services by authenticating via G Suite SAML.
MIT License
217 stars 38 forks source link

The requested DurationSeconds exceeds the MaxSessionDuration set for this role #13

Closed thepatrick closed 4 years ago

thepatrick commented 4 years ago

This script assumes that the value of https://aws.amazon.com/SAML/Attributes/SessionDuration is less than the value of MaxSessionDuration for all roles, which isn't true for my use case, which is multiple roles, but only the dev account allows up to 12 hour sessions (other roles have the default 1 hour limit).

aws-google-auth solved this by allowing the user to specify a command line argument / environment variable to specify the duration.

Would you be open to a PR that would allow specifying an override value for sessionDuration?

Parsed SAML assertion {
  attributes: [
    {
      name: 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',
      value: [Array]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/Role',
      value: [Array]
    },
    {
      name: 'https://aws.amazon.com/SAML/Attributes/SessionDuration',
      value: [Array]
    }
  ]
}
Found SessionDuration attribute 28800
Found Role ARN arn:aws:iam::[account]:role/[role]
Found Principal ARN arn:aws:iam::[account]:saml-provider/[provider]
The requested DurationSeconds exceeds the MaxSessionDuration set for this role.
ruimarinho commented 4 years ago

Can you try updating to the latest version please?

ruimarinho commented 4 years ago

@thepatrick I was on mobile on my initial reply and now that I've re-read the issue, the latest version would not have fixed this issue (there was a SessionDuration improvement but not on this particular case).

This makes complete sense.

Would you be open to a PR that would allow specifying an override value for sessionDuration?

Yes, absolutely. Thank you.

thepatrick commented 4 years ago

No worries, I was hoping I might have missed something 😄

I'll do that.

lizthegrey commented 4 years ago

Just to link the threads together, the previously reported bug was: https://github.com/ruimarinho/gsts/issues/9

ruimarinho commented 4 years ago

@lizthegrey @thepatrick now that I believe I understand this issue a little bit better, I've taken a different approach. Instead of failing and forcing the user to fix the underlying problem, I'm fetching the IAM role's properties from the IAM service and making sure the MaxSessionDuration is never exceeded, while still warning the user about it:

Screenshot 2020-04-24 at 01 31 48

Please give 2.3.0-beta.1 on npm a try and let me know what you think!

thepatrick commented 4 years ago

That approach makes sense to me! Thank you for doing that :)

Unfortunately when I try and use 2.3.0-beta.1 it hangs - logged separately as #15