s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours
simonw opened this issue · 5 comments
The s3-credentials.AmazonS3FullAccess role created by this tool turns out to have MaxSessionDuration of 3600 - which means that if it is used with the -d option to create time limited credentials an error will be shown unless that duration is less than one hour.
This code here:
s3-credentials/s3_credentials/cli.py
Lines 830 to 858 in db90d36
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_role confirms that the default value is 1 hour.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.update_role can be used to update the role to fix this.
~ % s3-credentials list-roles s3-credentials.AmazonS3FullAccess
[
{
"Path": "/",
"RoleName": "s3-credentials.AmazonS3FullAccess",
"RoleId": "AROAWXFXAIOZKX4I47KJM",
"Arn": "arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess",
"CreateDate": "2021-11-10 01:53:24+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::462092780466:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
},
"Description": "Role used by the s3-credentials tool to create time-limited credentials that are restricted to specific buckets",
"MaxSessionDuration": 3600
}
]
Manually tested the fix by deleting my s3-credentials.AmazonS3FullAccess role and then running this command:
% s3-credentials create datasette-cloud-backups -d 1h
Assume role against arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess for 3600s
{
"AccessKeyId": "ASIAWXFXAIOZG4XZQ54R",
"SecretAccessKey": "...",
"SessionToken": "F...",
"Expiration": "2022-08-01 20:38:24+00:00"
}
So that worked as expected - the role has 12 hours now.
If you are affected by this bug you can fix the role manually by going here:
And clicking the "Edit" button.
