Increase the assume-role MFA expiry time to 8 hours (28800 seconds) #533
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The docs I read were https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html and https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html, so maybe this is right? |
|
It seems like I have to wait for hashicorp/terraform-provider-aws#3977, upgrade the provider and then change my approach. Closing this for now. Thanks for pointing it out, @davbo. |
|
That PR has been merged now, so I've implemented this in the correct way (hopefully). I'll test it in the test account and see if it works. |
issyl0
force-pushed
the
increase_assume_role_mfa_expiration_time
branch
from
4c632cc to
6afe8f4
Compare
- AWS recently increased the assume-role session token expiry time to a maximum of 12 hours. This makes our sessions last for eight hours, the length of the working day, to avoid having to re-assume role multiple times a day. This is done via the `max_session_duration` parameter on `aws_iam_role` as implemented in the AWS terraform provider v0.14.0. - This will revert the changes I made in #498, and I'll have to change the docs again, but it makes it simpler in the long run - you only have to remember an `assume-role` command, not also `get-session-token`.
issyl0
force-pushed
the
increase_assume_role_mfa_expiration_time
branch
from
6afe8f4 to
23dd074
Compare
|
This appears to be the correct setting. I did an
|
suthagarht
approved these changes
Apr 13, 2018
|
Applied in all environments. Merging. |
issyl0
pushed a commit
to alphagov/govuk-developer-docs
that referenced
this pull request
Apr 13, 2018
- Now that tokens have an eight hour expiry (alphagov/govuk-aws#533), we don't need to do the intermediary workaround of calling `aws sts get-session-token` for a longer session without MFA. - This has the side effect that you'll need to re-authenticate with MFA if you wish to switch environments, but I don't think that's necessarily a bad thing at the moment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
maximum of 12 hours. This makes our sessions last for eight hours, the
length of the working day, to avoid having to re-assume role multiple
times a day.
Only ask for MFA on assume-role once in 12 hours #498, and I'll have to
change the docs again, but it makes it simpler in the long run - you
only have to remember an
assume-rolecommand, not alsoget-session-token.(I'll test this in the test account first.)