Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar
Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.
Can I increase the IAM role chaining session duration limit?
Lesedauer: 2 Minute
0
I used the AssumeRole API to assume an AWS Identity and Access Management (IAM) role using temporary credentials, but I received an error similar to the following:
"The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining".
Note: Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can't be increased. For more information, see Roles terms and concepts.
Resolution
Use the following best practices with role chaining:
The operation fails if the DurationSeconds parameter value for the temporary credentials is greater than one hour.
The role chaining one hour limit only applies to the AWS CLI or API.
The AWS Management Console doesn't support role chaining. You can use the switch role feature in the Console to get a role's temporary credentials. The Console uses the credentials of the IAM or federated user to switch to another role. For more information, see switching to a role (console).
Multi-Factor Authentication (MFA) users with the AWS CLI use temporary credentials to assume another role. The temporary credentials use the AWS STS GetSessionToken API and are limited to one hour.
If role chaining is used to assume Role B for the same AWS account as Role A, then assign additional permissions to Role A to avoid role chaining into Role B.