Assume role fails if you've previously eval'd

Question

Assume role fails if you've previously eval'd

ejholmes opened this issue 8 years ago · comments

If you eval, then wait 1 hour, then eval again, the call to AssumeRole fails because the existing credentials are present in the environment:

$ eval $(assume-role role)
$ sleep 1 hour
$ eval $(assume-role role)

A client error (ExpiredToken) occurred when calling the AssumeRole operation: The security token included in the request is expired

Eric Holmes · Answer 1 · Thu Feb 18 2016 12:37:49 GMT+0800 (China Standard Time)

Dunno what the best thing to do here would be. I don't really want to blindly remove any AWS_* environment variables, because that could prevent cases where you actually want to use the credentials in the environment to assume the role.

Maybe a --without-env flag to clear the environment before calling AssumeRole?

Eric Holmes · Answer 2 · Thu Feb 18 2016 12:39:28 GMT+0800 (China Standard Time)

Or, have assume-role output an environment variable that it can check on the next call, if it's present clear the environment, which would work as expected when doing consecutive evals.