Skip to content
This repository has been archived by the owner on May 18, 2021. It is now read-only.

missing session_ttl option? #251

Closed
chizou opened this issue Nov 22, 2019 · 5 comments
Closed

missing session_ttl option? #251

chizou opened this issue Nov 22, 2019 · 5 comments
Labels
wontfix

Comments

@chizou
Copy link

chizou commented Nov 22, 2019

There are environment variables AWS_SESSION_TTL and AWS_ASSUME_ROLE_TTL. The config file option for assume_role_ttl exists but there doesn't seem to be a matching option for session_ttl. Is this expected?

Admittedly, I'm not completely certain what the difference between the two are so can that also be explained?
@sdann
Copy link
Contributor

sdann commented Dec 4, 2019

I second this lack of a session_ttl config parameter. I've just discovered that cred-process takes the min() of the configured AWS and Okta session. Thus, setting assume_role_ttl alone in config is useless.

For example on 0.27.0:

aws-okta cred-process -a 8h test
Returns a 1 hour STS token, because the default for session_ttl is 1 hour.

aws-okta cred-process -a 8h -t 8h test
Returns an 8 hour STS token.

aws-okta cred-process -a 8h -t 4h test
Returns a 4 hour STS token, the min() of the 2.

I could work around this in the config file if session_ttl was supported.

@sdann
Copy link
Contributor

sdann commented Dec 5, 2019
edited
Loading

After diving through the code, I now understand that:

session_ttl is the duration of the STS creds for the initial AssumeRoleWithSAML() call.
assume_role_ttl is the duration of the creds for any secondary role that is assumed after the first.

This was very confusing at first. I had assumed session_ttl was the length of the Okta login session or Oka SAML assertion ttl.

@nickatsegment Question: why have 2 different names? Since the tool is only ever assuming 1 final role eventually, why not use the same config parameter for both? Say session_ttl which will always be the TTL for the STS token regardless of whether it was assumed with AssumeRoleWithSAML() or AssumeRole()?

@nickatsegment
Copy link
Contributor

That nomenclature predates my tenure at aws-okta :) I'm not really aware of any use cases where you'd want different values for these. Possibly the STS creds associated with session_ttl are reusable if you assume a different role? Maybe @Fauzyy has some ideas

sdann added a commit to sdann/aws-okta that referenced this issue Dec 5, 2019
@sdann
feat: Support "session_ttl" config param in every command (segmentio#251
d4479af 
)

If "session_ttl" exists in config profile, use it as if --session-ttl
was provided on the CLI.
@sdann sdann mentioned this issue Dec 5, 2019
Closed
@sdann
Copy link
Contributor

sdann commented Dec 5, 2019

PR to fix this issue: #255
New issue to address the similar parameter names: #256

nickatsegment pushed a commit that referenced this issue Dec 17, 2019
@sdann @nickatsegment
feat: Support "session_ttl" config param in every command (#251) (#255)
4e5f146 
* feat: Support "session_ttl" config param in every command (#251)

If "session_ttl" exists in config profile, use it as if --session-ttl
was provided on the CLI.

* docs: Update config param section of README

Describe how the code actually works, where session-ttl determines the
duration of the first SAML assumed AWS role, not the session to Okta.
@nickatsegment
Copy link
Contributor

#278

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chizou @sdann @nickatsegment