AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

aws cli SSO duration is limited to 1 hour

0

Hi, I have setup AWS organization with various AWS accounts under it. The only login is via AWS SSO where the identity provider is Google workspace. In the 'Maximum session duration' in IAM Identity center settings is set to 8 hours. The 'Session duration' in each permission set that I have is set to 12 hours The problem is that doing aws --profile <profile> sso login only provides a session of 1 hour, and the aws cli checks that you have at least 15 minutes left for the session for every command, so it's effectively just 45 minutes

Can you please help me find what I'm doing wrong? How can I extend the session to 8 or 12 or other value for the cli?

Thank you, Dror

주제
보안, 신원 및 규정 준수
태그
AWS IAM 자격 증명 센터
언어
English
Dror Buhnik
질문됨 일 년 전649회 조회
4개 답변
0

yes, I did: Enter image description here this is one of the permissions set, all the other are set the same way - everything is via pulumi (like terraform)

Dror Buhnik
답변함 일 년 전
0

Hi,

See https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

To set the session duration
1. Open the IAM Identity Center console.
2. Under Multi-account permissions, choose Permission sets.
3. Choose the name of the permission set for which you want to change the session duration.
4. On the details page for the permission set, to the right of the General settings section heading, choose Edit.
5. On the Edit general permission set settings page, choose a new value for Session duration.

Did you do step #5 ?

profile pictureAWS
전문가
Didier_Durand
답변함 일 년 전
0

What may be occurring is that the SAML assertion has the SessionNotOnOrAfter attribute defined. If so, please check if that’s set to an hours duration.

“Note, too, that if a SessionNotOnOrAfter attribute is also defined, then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter, establishes the maximum duration of the console session” See this for details

AWS
Rajarshi_D
답변함 일 년 전
0

Interesting I'm using Google Workspace and there seems that there isn't option to change session NotOnOrAfter (or any saml assertions), am I missing something? Or, maybe there is a way to override that value on AWS side?

If I'm testing the flow and follow the saml response I see this POST request:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://us-east-2.signin.aws.amazon.com/platform/saml/acs/XXXXXX" ID="XXXXXX" InResponseTo="XXXXXX" IssueInstant="2023-06-05T06:29:21.870Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C036z40fn</saml2:Issuer>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="XXXXX" IssueInstant="2023-06-05T06:29:21.870Z" Version="2.0">
      <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=XXXXXX</saml2:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#XXXXXX">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>XXXXXX</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>XXXXXX</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
               <ds:X509Certificate>XXXXXX</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">XXXXXX</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="XXXXXX" NotOnOrAfter="2023-06-05T06:34:21.870Z" Recipient="https://us-east-2.signin.aws.amazon.com/platform/saml/acs/XXXXXX" />
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2023-06-05T06:24:21.870Z" NotOnOrAfter="2023-06-05T06:34:21.870Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>https://us-east-2.signin.aws.amazon.com/platform/saml/XXXXXX</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2023-06-05T06:16:04.000Z" SessionIndex="XXXXXX">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
   </saml2:Assertion>
</saml2p:Response>

(I replaced any identifier with XXXXXX) So the NoOnOrAfter is very short - this cause the aws cli to set the duration to the minimum 1 hour?

Dror Buhnik
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠