By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

aws cli SSO duration is limited to 1 hour

0

Hi, I have setup AWS organization with various AWS accounts under it. The only login is via AWS SSO where the identity provider is Google workspace. In the 'Maximum session duration' in IAM Identity center settings is set to 8 hours. The 'Session duration' in each permission set that I have is set to 12 hours The problem is that doing aws --profile <profile> sso login only provides a session of 1 hour, and the aws cli checks that you have at least 15 minutes left for the session for every command, so it's effectively just 45 minutes

Can you please help me find what I'm doing wrong? How can I extend the session to 8 or 12 or other value for the cli?

Thank you, Dror

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Dror Buhnik
asked a year ago614 views
4 Answers
0

yes, I did: Enter image description here this is one of the permissions set, all the other are set the same way - everything is via pulumi (like terraform)

Dror Buhnik
answered a year ago
0

Hi,

See https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html

To set the session duration
1. Open the IAM Identity Center console.
2. Under Multi-account permissions, choose Permission sets.
3. Choose the name of the permission set for which you want to change the session duration.
4. On the details page for the permission set, to the right of the General settings section heading, choose Edit.
5. On the Edit general permission set settings page, choose a new value for Session duration.

Did you do step #5 ?

profile pictureAWS
EXPERT
Didier_Durand
answered a year ago
0

What may be occurring is that the SAML assertion has the SessionNotOnOrAfter attribute defined. If so, please check if that’s set to an hours duration.

“Note, too, that if a SessionNotOnOrAfter attribute is also defined, then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter, establishes the maximum duration of the console session” See this for details

AWS
Rajarshi_D
answered a year ago
0

Interesting I'm using Google Workspace and there seems that there isn't option to change session NotOnOrAfter (or any saml assertions), am I missing something? Or, maybe there is a way to override that value on AWS side?

If I'm testing the flow and follow the saml response I see this POST request:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://us-east-2.signin.aws.amazon.com/platform/saml/acs/XXXXXX" ID="XXXXXX" InResponseTo="XXXXXX" IssueInstant="2023-06-05T06:29:21.870Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C036z40fn</saml2:Issuer>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="XXXXX" IssueInstant="2023-06-05T06:29:21.870Z" Version="2.0">
      <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=XXXXXX</saml2:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#XXXXXX">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>XXXXXX</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>XXXXXX</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
               <ds:X509Certificate>XXXXXX</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">XXXXXX</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="XXXXXX" NotOnOrAfter="2023-06-05T06:34:21.870Z" Recipient="https://us-east-2.signin.aws.amazon.com/platform/saml/acs/XXXXXX" />
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2023-06-05T06:24:21.870Z" NotOnOrAfter="2023-06-05T06:34:21.870Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>https://us-east-2.signin.aws.amazon.com/platform/saml/XXXXXX</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2023-06-05T06:16:04.000Z" SessionIndex="XXXXXX">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
   </saml2:Assertion>
</saml2p:Response>

(I replaced any identifier with XXXXXX) So the NoOnOrAfter is very short - this cause the aws cli to set the duration to the minimum 1 hour?

Dror Buhnik
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content