Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
IoT role alias has wrong expiration time.
We are using CloudFormation to create our resources, and we create an IAM role and an IoT role alias.
This is the IAM role:
IotS3AccessRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 43200
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- credentials.iot.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- ....
And this is the IoT role alias:
IotS3AccessRoleAlias:
Type: AWS::IoT::RoleAlias
Properties:
CredentialDurationSeconds: 43200
RoleAlias: !Ref IotS3AccessRoleAliasName
RoleArn: !GetAtt IotS3AccessRole.Arn
We set it 12h of expiration time (43200s), but in AWS console the role alias is created with 1h expiration time (3600s). I can change it manually in the AWS console and it works perfect, but I don't know why is created with 3600s.
Could this be an AWS bug? Or Am I doing something wrong?
- Newest
- Most votes
- Most comments
Hi, thanks for reporting this. We have verified there is an issue with the Create operation in CloudFormation which causes this problem. A fix is underway and will deployed to all regions in the coming weeks. As workarounds you can:
- first create the role alias without specifying the value and then update it to the desired duration through CloudFormation. Or,
- create a custom resource that creates the role alias using boto3
Hello,
Thanks for posting your query.
In order to assist you with this, I would like to know if you are getting some errors while deploying this. Since, you had mentioned that with the AWS console you are able to change the expiration time (3600s). This means the expected behaviour is working fine on the service side. The value 3600s was created as this is the default value, this means the value you had input as (4200) is not implemented and might be ending into some sort of error. Kindly refer to the below document for the same[1] [1] https://docs.aws.amazon.com/iot/latest/apireference/API_CreateRoleAlias.html
Also, I would suggest you to check the document [2] in regard to UpdateRole which also explains about common error and status codes like 404 and 500. [2] https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html
Hello! Thank you for answering.
We are not getting any error while deploying, the role alias is created fine and working, but with the wrong expiration time.
On those documentation pages says the maximum value is 43200.
It's odd because in the sam file I have 43200, and then in the first deploy that creates the role alias, it set the expiration time in 3600, but if I change the sam file to any other value, for example 1800 and deploy it again, the role alias is updated to 1800, and finally if I change the sam file to 43200 again and deploy it, it works, it set the 43200 to the role alias.
But, if after the first deploy I don't change the expiration time in the sam file and deploy again, it doesn't change it to 43200, it keeps in 3600. So, the problem seems to be when creates de role alias.
I just added two more role alias in the sam file, one with 1800 and other with 43199 seconds, and both were created with 3600. The IAM role was created ok with Maximum session duration of 12h.
This seems to directly contradict the documentation I'm seeing here. Your role and role alias both look setup to have the 12hr expiration time.
I don't think you're doing anything wrong (from the information provided).
Thank you! Should I mark this answer as accepted? Or leave it open?
The issue has been fixed, and please mark the answer as accepted.