Can I increase the duration of the IAM role chaining session?

2 minute read
0

I used the AssumeRole API with temporary credentials to assume an AWS Identity and Access Management (IAM) role. However, I received an error similar to the following: "The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining."

Resolution

To assume a role that has temporary security credentials, use the AWS Command Line Interface (AWS CLI) with role chaining. Role chaining limits your AWS CLI or AWS API role session to a maximum of 1 hour. You can't increase the session duration. The 1-hour maximum duration applies only to the AWS CLI and API. For more information about role chaining, see Roles terms and concepts.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the following best practices with role chaining:

  • When the DurationSeconds parameter value for the temporary credentials is greater than 1 hour, the operation fails.
  • The AWS Management Console doesn't support role chaining. To get the temporary credentials of a role, use the switch role feature in the AWS Management Console. The AWS Management Console uses the credentials of the IAM or federated user to switch to another role.
  • Users that use Multi-Factor Authentication (MFA) with the AWS CLI use temporary credentials to assume another role. The temporary credentials use the AWS STS GetSessionToken API and are limited to 1 hour.
  • If you use role chaining to assume Role B for the same AWS account as Role A, then assign additional permissions to Role A. The additional permissions for Role A avoid role chaining into Role B.

Related information

Troubleshooting IAM and Amazon EC2

3 Comments

This contradicts with https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html which says the default is 1 hour but it is possible to increase the limit to up to 12 hours, as long as the assumed role allows it. The duration can be specified in AWS CLI and AWS API calls, however the AWS Console does not support changing the duration, so it defaults to 1 hour.

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 3 months ago

The above mentioned STS docs do state 1 hour for chained roles:

Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.

duckfez
replied 2 months ago