Assume role fails if you've previously eval'd
ejholmes opened this issue · comments
Eric Holmes commented
If you eval, then wait 1 hour, then eval again, the call to AssumeRole fails because the existing credentials are present in the environment:
$ eval $(assume-role role)
$ sleep 1 hour
$ eval $(assume-role role)
A client error (ExpiredToken) occurred when calling the AssumeRole operation: The security token included in the request is expired
Eric Holmes commented
Dunno what the best thing to do here would be. I don't really want to blindly remove any AWS_* environment variables, because that could prevent cases where you actually want to use the credentials in the environment to assume the role.
Maybe a --without-env
flag to clear the environment before calling AssumeRole?
Eric Holmes commented
Or, have assume-role
output an environment variable that it can check on the next call, if it's present clear the environment, which would work as expected when doing consecutive evals.