AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

Can I increase the duration of the IAM role chaining session?

2 minute read

I used the AssumeRole API with temporary credentials to assume an AWS Identity and Access Management (IAM) role. However, I received an error similar to the following: "The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining."

Resolution

To assume a role that has temporary security credentials, use the AWS Command Line Interface (AWS CLI) with role chaining. Role chaining limits your AWS CLI or AWS API role session to 1 hour. You can't increase the session duration. The 1-hour maximum duration applies only to the AWS CLI and API.

Important: When the DurationSeconds parameter value for the temporary credentials is greater than 1 hour, the operation fails.

Use the following best practices with role chaining:

To get the temporary credentials of a role, use the switch role feature on the AWS Management Console. The AWS Management Console uses the IAM or federated user's credentials to switch to another role.
Users who use multi-factor authentication (MFA) with the AWS CLI use temporary credentials to assume another role. The AWS Security Token Service (AWS STS) GetSessionToken API generates temporary credentials that are limited to 1 hour.
If you use role chaining to assume Role B for the same AWS account as Role A, then assign additional permissions to Role A. The additional permissions for Role A avoid role chaining to Role B.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Related information

Troubleshoot IAM and Amazon EC2

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

Related videos

Watch Calvin’s video to learn more (2:28)

AWS OFFICIALUpdated 5 months ago

3 Comments

This contradicts with https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html which says the default is 1 hour but it is possible to increase the limit to up to 12 hours, as long as the assumed role allows it. The duration can be specified in AWS CLI and AWS API calls, however the AWS Console does not support changing the duration, so it defaults to 1 hour.

Andras Toth

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 2 years ago

The above mentioned STS docs do state 1 hour for chained roles:

Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.

duckfez

replied 2 years ago

Relevant content

Force use of `--duration-seconds 900` for `sts` commands `get-session-token` and `assume-role`.
Accepted Answer
Joann Babak
asked 3 years ago
Problem with providing right "sts:RoleSessionName" while assuming IAM role using another assumed role access keys (role-chaining scenario)
Joann Babak
asked 3 years ago
Role chaining problem (aws console role-chaining)
Accepted Answer
Joann Babak
asked 4 years ago
ECS task role chaining limitation to 1 hour
Accepted Answer
AWS-User-1687141
asked 6 years ago
AWS CDK Deployment Failing Due to Expired STS Token – How to Extend Session Duration?
Peter Eskandar
asked a year ago
How can I troubleshoot the AWS STS error “the security token included in the request is expired” when I use the AWS CLI to assume an IAM role?
AWS OFFICIALUpdated a year ago
How do I resolve the "PackedPolicyTooLarge" error when I assume an IAM role through AWS STS?
AWS OFFICIALUpdated a year ago
How do I resolve the "AccessDenied" or "Invalid information" error when I try to assume a cross-account IAM role?
AWS OFFICIALUpdated 4 months ago
How do I use the AWS CLI to assume an IAM role?
AWS OFFICIALUpdated 7 months ago
Building resilient supply chains: A MIT Technology Review article
EXPERT
Ronil Prasad
published 2 years ago