Closed evanstucker-hates-2fa closed 1 week ago
Just to clarify, this is the expiration I'm talking about (not the top one, but the 59m one):
$ aws-sso list
List of AWS roles for SSO Instance: Default [Expires in: 6h 20m]
AccountIdPad | AccountAlias | RoleName | Profile | Expires
================================================================================================
REDACTED | REDACTED | REDACTED | REDACTED | 59m
Hi @evanstucker-hates-2fa,
This is not something that aws-sso
controls, but rather the administrator of AWS Identity Center. Assuming you are the admin, you can navigate in the AWS Console to: IAM Identity Center -> Permission Sets and then select the permission set you wish to increase the session time. Click Edit and then change the Session duration to the desired value.
more info: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html
For users who are not also AWS IAM Identity Center admins, perhaps there could be a helper service? Something that runs aws-sso eval -r
in the background or something?
Updated: The command was aws-sso eval -r
, but I think that doesn't do what I thought it would do either...
Is there any command that refreshes the expiration time - sets it back to 60m?
There's really no great portable way to do this right now. In the future, I kinda hope the ecs server running in docker can deal with this sorta use case, but it's gonna be a long way before that happens. In all honestly, your best bet is to talk to your admin and ask them to increase the default 1hr value and why it's a problem. Most of the time, they just accepted the defaults without thinking.
Understood.
I wonder how the official aws
CLI manages this? After I've configured my SSO profiles with it, I set AWS_PROFILE once, and it seems to function all day... They must be doing something sneaky...
Oh, if you want to use the AWS_PROFILE
environment variable then the config-profiles command will do what you want by generating the appropriate entries in your ~/.aws/config
file.
What I can't do easily is modify your current shell's environment.
I'll try that and let you know if it solves the issue. Thanks!
Hey! That works! After running aws-sso config-profiles
to set it up, I need to run aws-sso-profile my_profile
once in the morning, then export AWS_PROFILE=my_profile
, and it automatically refreshes the token if it's expired! Thank you!
I'm not really sure why you're running aws-sso-profile xxxx
at all. Just should need export AWS_PROFILE=xxx
. Is there a problem if you don't?
I thought I had some problem with that, but I just did ran these commands this morning and everything worked:
$ export AWS_PROFILE=my_profile
$ aws sts get-caller-identity
# Opened browser to compete SSO auth, then got this output.
{
"UserId": "AROAQIJREDACTEDFJNUZ2:evans",
"Account": "017999999995",
"Arn": "arn:aws:sts::017999999995:assumed-role/AWSReservedSSO_AdministratorAccess_9affbd59dc097fd3/evans"
}
Is your feature request related to a problem? Please describe. I am frustrated that I have to run aws-sso-profile at least 8 times during a regular workday, because the sessions expire in 60 minutes. I am constantly running kubectl commands or k9s and having them fail, then having to re-run aws-sso-profile to refresh my session.
Describe the solution you'd like Is there a way to set the expiration to once every 8, 12, or 24 hours?
Describe alternatives you've considered My solution is this goofy script I wrote: https://gitlab.com/devopscoop/scripts/-/blob/main/aws_configure_all_sso.sh?ref_type=heads ...but I would prefer to use aws-sso-cli because of the enhanced security.
Additional context Perhaps it's an anti-pattern from a security perspective to increase the session expiration above 60 minutes, but it's so annoying that I've fallen back to using the standard AWS CLI (via the script above). However, I still think encryption + 8 hour expiration is better security than no encryption and whatever magic AWS CLI uses to avoid the 60 minute expiration.