Change the "Expires" to something greater than 60 minutes

[evanstucker-hates-2fa]

Is your feature request related to a problem? Please describe. I am frustrated that I have to run aws-sso-profile at least 8 times during a regular workday, because the sessions expire in 60 minutes. I am constantly running kubectl commands or k9s and having them fail, then having to re-run aws-sso-profile to refresh my session.

Describe the solution you'd like Is there a way to set the expiration to once every 8, 12, or 24 hours?

Describe alternatives you've considered My solution is this goofy script I wrote: https://gitlab.com/devopscoop/scripts/-/blob/main/aws_configure_all_sso.sh?ref_type=heads ...but I would prefer to use aws-sso-cli because of the enhanced security.

Additional context Perhaps it's an anti-pattern from a security perspective to increase the session expiration above 60 minutes, but it's so annoying that I've fallen back to using the standard AWS CLI (via the script above). However, I still think encryption + 8 hour expiration is better security than no encryption and whatever magic AWS CLI uses to avoid the 60 minute expiration.

[evanstucker-hates-2fa]

Just to clarify, this is the expiration I'm talking about (not the top one, but the 59m one):

$ aws-sso list
List of AWS roles for SSO Instance: Default [Expires in: 6h 20m]

AccountIdPad | AccountAlias | RoleName            | Profile                            | Expires
================================================================================================
REDACTED     | REDACTED     | REDACTED            | REDACTED                           |     59m

[synfinatic]

Hi @evanstucker-hates-2fa,

This is not something that aws-sso controls, but rather the administrator of AWS Identity Center. Assuming you are the admin, you can navigate in the AWS Console to: IAM Identity Center -> Permission Sets and then select the permission set you wish to increase the session time. Click Edit and then change the Session duration to the desired value.

more info: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

[evanstucker-hates-2fa]

For users who are not also AWS IAM Identity Center admins, perhaps there could be a helper service? Something that runs aws-sso eval -r in the background or something?

Updated: The command was aws-sso eval -r, but I think that doesn't do what I thought it would do either...

[evanstucker-hates-2fa]

Is there any command that refreshes the expiration time - sets it back to 60m?

[synfinatic]

There's really no great portable way to do this right now. In the future, I kinda hope the ecs server running in docker can deal with this sorta use case, but it's gonna be a long way before that happens. In all honestly, your best bet is to talk to your admin and ask them to increase the default 1hr value and why it's a problem. Most of the time, they just accepted the defaults without thinking.

[evanstucker-hates-2fa]

Understood.

I wonder how the official aws CLI manages this? After I've configured my SSO profiles with it, I set AWS_PROFILE once, and it seems to function all day... They must be doing something sneaky...

[synfinatic]

Oh, if you want to use the AWS_PROFILE environment variable then the config-profiles command will do what you want by generating the appropriate entries in your ~/.aws/config file.

What I can't do easily is modify your current shell's environment.

[evanstucker-hates-2fa]

I'll try that and let you know if it solves the issue. Thanks!

[evanstucker-hates-2fa]

Hey! That works! After running aws-sso config-profiles to set it up, I need to run aws-sso-profile my_profile once in the morning, then export AWS_PROFILE=my_profile, and it automatically refreshes the token if it's expired! Thank you!

[synfinatic]

I'm not really sure why you're running aws-sso-profile xxxx at all. Just should need export AWS_PROFILE=xxx. Is there a problem if you don't?

[evanstucker-hates-2fa]

I thought I had some problem with that, but I just did ran these commands this morning and everything worked:

$ export AWS_PROFILE=my_profile

$ aws sts get-caller-identity

# Opened browser to compete SSO auth, then got this output.

{
    "UserId": "AROAQIJREDACTEDFJNUZ2:evans",
    "Account": "017999999995",
    "Arn": "arn:aws:sts::017999999995:assumed-role/AWSReservedSSO_AdministratorAccess_9affbd59dc097fd3/evans"
}