Incorrect display of Session Length if command errors

Question

Incorrect display of Session Length if command errors

Dirimsa opened this issue a year ago · comments

Version used of AWS Vault

v6.5.0

Problem description

When starting a new session with aws-vault exec which errors due to the configured MaxSessionDuration an incorrect value for the session length is provided by the aws-vault list command

$ aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
default                  -                        -
my-profile               my-profile               -

$ aws-vault exec my-profile --duration=8h
Enter MFA code for arn:aws:iam::XXXXXXXXXX:mfa/_redacted_: _redacted_

aws-vault: error: exec: Failed to get credentials for my-profile: operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: 5c5e2f7d-6b0f-48f2-b9d3-6f40a8a350dc, api error ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.

$ aws-vault exec my-profile --duration=6h
aws-vault: error: exec: Failed to get credentials for my-profile: operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: b829ef01-8975-4790-b2c4-4e2f3ba4b2fe, api error ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.

$ aws-vault exec my-profile --duration=1h

$ aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
default                  -                        -
my-profile               my-profile               sts.GetSessionToken:7h58m39s

$ aws-vault clear
Cleared 1 sessions.

Expected behaviour

It is expected to see the correct session length of 1h after the sts credentials have been provided

Actual behaviour

An incorrect session length is shown besides the error happening

Contents of ~/.aws/config file

$ cat ~/.aws/config
[default]
region = us-east-1
output = json
cli_history = disabled
max_attemps = 3

[profile my-profile]
mfa_serial = arn:aws:iam::XXXXXXXX:mfa/_redacted_
role_arn = arn:aws:iam::XXXXXXXX:role/_redacted_role_
role_session_name = my-test-session

Michael Tibben · Answer 1 · Wed Mar 15 2023 05:35:52 GMT+0800 (China Standard Time)

The session you are seeing listed is the MFA session established for the role to avoid further MFA prompts, so this is expected.

Dirimsa · Answer 2 · Wed Mar 15 2023 17:58:52 GMT+0800 (China Standard Time)

I understand the point you are making, but in my opinion this leads to a false assumption of the session length.

After one hour my STS credentials will have timed out due to the session length however due to the output it would be expected to have STS credentials for 8h which is wrong.

Michael Tibben · Answer 3 · Wed Mar 15 2023 18:27:38 GMT+0800 (China Standard Time)

can you provide the output with --debug for each of the above commands on the latest version of aws-vault?

Dirimsa · Answer 4 · Fri Mar 17 2023 19:35:06 GMT+0800 (China Standard Time)

Hello,

here is the output you have requested. I have executed the above command again using the --debug flag.

$ aws-vault list
Profile              Credentials          Sessions
=======              ===========          ========
default              -                    -
my-profile           my-profile           -

cweltz@Chris-Arbeit ~ $ aws-vault exec my-profile --duration=8h --debug
2023/03/17 12:26:13 aws-vault v6.5.0
2023/03/17 12:26:13 Loading config file _redacted_/.aws/config
2023/03/17 12:26:13 Parsing config file _redacted_/.aws/config
2023/03/17 12:26:13 [keyring] Considering backends: [file]
2023/03/17 12:26:13 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:13 profile my-profile: using stored credentials
2023/03/17 12:26:13 profile my-profile: skipping GetSessionToken because duration 8h0m0s is greater than the AWS maximum 1h0m0s for chaining MFA
2023/03/17 12:26:13 profile my-profile: using GetSessionToken (with MFA)
2023/03/17 12:26:13 profile my-profile: using AssumeRole (chained MFA)
2023/03/17 12:26:13 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:13 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:13 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
Enter MFA code for arn:aws:iam::_redacted_:mfa/_redacted_: _redacted_

2023/03/17 12:26:34 Looking up keyring for 'my-profile'
2023/03/17 12:26:34 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:34 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
Enter passphrase to unlock "_redacted_/.awsvault/keys/":
2023/03/17 12:26:45 Generated credentials ****************MRNN using GetSessionToken, expires in 7h59m7.063285104s
2023/03/17 12:26:45 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:45 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:45 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:26:45 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
aws-vault: error: exec: Failed to get credentials for my-profile: operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: b43f9c78-77e8-42bc-99a8-cc4760cf60e1, api error ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.

$ aws-vault list
Profile              Credentials          Sessions
=======              ===========          ========
default              -                    -
my-profile           my-profile           sts.GetSessionToken:7h57m56s

cweltz@Chris-Arbeit ~ $ aws-vault exec my-profile --duration=1h --debug

2023/03/17 12:27:12 aws-vault v6.5.0
2023/03/17 12:27:12 Loading config file _redacted_/.aws/config
2023/03/17 12:27:12 Parsing config file _redacted_/.aws/config
2023/03/17 12:27:12 [keyring] Considering backends: [file]
2023/03/17 12:27:12 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:27:12 profile my-profile: using stored credentials
2023/03/17 12:27:12 profile my-profile: using GetSessionToken (with MFA)
2023/03/17 12:27:12 profile my-profile: using AssumeRole (chained MFA)
2023/03/17 12:27:12 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:27:12 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:27:12 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
2023/03/17 12:27:12 [keyring] Expanded file dir to _redacted_/.awsvault/keys/
Enter passphrase to unlock "_redacted_/.awsvault/keys/":

2023/03/17 12:27:19 Re-using cached credentials ****************MRNN from sts.GetSessionToken, expires in 7h58m33.833572797s
2023/03/17 12:27:19 Generated credentials ****************ZUJA using AssumeRole, expires in 59m7.601165286s
2023/03/17 12:27:19 Setting subprocess env: AWS_DEFAULT_REGION=us-east-1, AWS_REGION=us-east-1
2023/03/17 12:27:19 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/03/17 12:27:19 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2023/03/17 12:27:19 Setting subprocess env: AWS_SESSION_EXPIRATION
2023/03/17 12:27:19 Exec command /bin/bash
2023/03/17 12:27:19 Found executable /bin/bash

$ aws-vault list
Profile              Credentials          Sessions
=======              ===========          ========
default              -                    -
my-profile           my-profile           sts.GetSessionToken:7h57m56s

$ aws-vault clear
Cleared 1 sessions.
$