Closed jakepearson closed 3 years ago
This is unfortunately due to a limitation with AWS. AWS does not let you chain role assumptions for durations greater than 1 hour. Even though your sts get-session-token
credentials were coming from an IAM user and not a role, according to AWS, the temporary user session credentials are still treated as role credentials and rejects when you try to use a role duration greater than 1 hour. This means we can't take advantage of the cached mfa-authenticated credentials. So to support --role-duration
with profiles that require MFA, we pass the MFA token to the role's assume-role
call, instead of the user's get-session-token
call
I hope this helps make it clearer!
Thanks for the extra information. Have a great day.
I started to use awsume and it seems great. I wanted to extend the duration of my token on an account I use with
mfa
configured. After I ran this command:I get prompted for my
mfa
token each time I runawsume
. When I remove therole-duration
line from my config, it goes back to working as expected.Do these 2 features not work together or did I misconfigure my config or is this a bug?