Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen

ECS task role chaining limitation to 1 hour

0

A customer is running into an error when trying to take the current task role credentials to assume a different role beyond 1 hour. They run into this error message: "ClientError: An error occurred (ValidationError) when calling the AssumeRole operation: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining."

I can't seem to find guidance on how a customer should configure the task role credentials duration beyond 1 hour so that assume role chaining can also extend beyond 1 hour. Is that possible?

AWS
gefragt vor 5 Jahren1341 Aufrufe
1 Antwort
0
Akzeptierte Antwort

I am just working on a container that ran into exactly the same issue. I made an assume role and added the credentials directly to the invocation of a third party lib. In the moment where the credentials timed out, all calls failed.

I found this merge request https://github.com/boto/botocore/pull/1313!

Now, I created a profile with the EcsContainer source:

[profile crossaccount]
role_arn="${CROSS_ACCOUNT_ROLE_ARN}"
credential_source=EcsContainer

I pass this profile to the 3rd party lib instead. Under the hood, this profile is registered in the credentials provider chain which solves the issue.

Best regards

AWS
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen