You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Leapp is unable to create web console sessions for IAM Role Chained that exceed one hour in duration. The issue stems from a typo in the parameter name responsible for setting session duration, which results in the parameter being unused. Additionally, AWS rejects requests for signing tokens exceeding 3599 seconds, responding with a 400 error. This is due to the Assume Role Token being generated from Temporary Credentials, which adheres to AWS policies restricting token durations to one hour for chained tokens.
Leapp Version
v.0.26.0
To Reproduce
Steps to reproduce the behavior:
Go to settings
Set the Default Webconsole Duration higher than one hour
Create a IAM User session
Create a IAM Role Chained session
Open a Webconsole Duration from that Role Chained Session
Be unlogged after one hour regardless of your configuration
Expected behavior
I expected Leapp to create a web console session for IAM Role Chained with a duration exceeding one hour without encountering an error.
Desktop:
OS: MacOS/Linux (not tested in Windows)
OS Version Ubuntu 24.04/MacOS 14
Leapp Version v0.26.0
Additional context
After debugging the code, I identified a typo in the parameter name for session duration, which prevented its correct usage.
Furthermore, AWS started rejecting requests for signing tokens with durations longer than one hour, responding with a 400 error. The issue arises because the Assume Role Token is generated from Temporary Credentials, which falls under AWS policies limiting token durations for chained tokens.
To resolve this, I suggest discussing the feasibility of generating the Assume Role Token from user credentials instead of temporary credentials. I am willing to implement this change if it aligns with the application's design and security principles.
Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered:
@petrusdemelo I'm quite sure the problem is related to the fact that the SessionDuration corresponds to the one you can specify from the global options dialog. The credentials - passed to the AWS /federation?Action=getSigninToken endpoint - are valid for 1 hour. This is a link to the code snippet that composes the signin token using the previously mentioned endpoint. I'm trying to replicate the bug to check if the assumptions I made are correct.
I think this is a crucial feature for day-by-day activities
The credentials - passed to the AWS /federation?Action=getSigninToken endpoint - are valid for 1 hour.
That is what I meant by "This is due to the Assume Role Token being generated from Temporary Credentials". Even if the typo gets fixed, we would need to pass the user credentials to generate the assume role token instead.
Describe the bug
Leapp is unable to create web console sessions for IAM Role Chained that exceed one hour in duration. The issue stems from a typo in the parameter name responsible for setting session duration, which results in the parameter being unused. Additionally, AWS rejects requests for signing tokens exceeding 3599 seconds, responding with a 400 error. This is due to the Assume Role Token being generated from Temporary Credentials, which adheres to AWS policies restricting token durations to one hour for chained tokens.
Leapp Version
v.0.26.0
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expected Leapp to create a web console session for IAM Role Chained with a duration exceeding one hour without encountering an error.
Desktop:
Additional context
After debugging the code, I identified a typo in the parameter name for session duration, which prevented its correct usage.
#559
Furthermore, AWS started rejecting requests for signing tokens with durations longer than one hour, responding with a 400 error. The issue arises because the Assume Role Token is generated from Temporary Credentials, which falls under AWS policies limiting token durations for chained tokens.
To resolve this, I suggest discussing the feasibility of generating the Assume Role Token from user credentials instead of temporary credentials. I am willing to implement this change if it aligns with the application's design and security principles.
Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered: