Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS STS Session hard limit duration of 1 hour for chained roles #1466

Open
owitplat opened this issue May 6, 2024 · 1 comment
Open

AWS STS Session hard limit duration of 1 hour for chained roles #1466

owitplat opened this issue May 6, 2024 · 1 comment

Comments

@owitplat
Copy link

owitplat commented May 6, 2024

Subject of the issue

Cloudformation updates can take longer than 1 hour to complete for stacks waiting for a CF success signal. For example on a Windows build that installs various applications at launch time the success signal can take > 1 hour to come back.

When scepter 4 is run from an ECS container that assumes a role into another account to trigger a stack update that takes longer than 1 hour, the sceptre run will fail with:
"An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired"

Increasing the session duration is unhelpful as AWS have a hard limit of 1 hour as per "Role Chaning" under
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

And sceptre fails with
An error occurred (ValidationError) when calling the AssumeRole operation: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.

The AWS provided solution is to launch sceptre using an IAM USER credential which doesn't suffer from the 1 hour hard limit on assumed roles. This is possible, however it means having to manage and rotate the long lived IAM USER credential which is undesirable.

Sceptre v1 supported refreshing the temporary credentials via this commit:
de616e4

It appears that this feature was not carried over into sceptre v2-v4.

We are currently migrating from sceptre 1 to 4 which has surfaced this issue.

Can the sceptre 1 feature be pulled into sceptre 4?

Your environment

  • version of sceptre (sceptre --version)
    Sceptre, version 4.4.2

  • version of python (python --version)
    Python 3.10.14

  • which OS/distro
    alpine 3.16

Steps to reproduce

Create a sceptre 4 managed stack where the update takes > 1 hour (by way of a delayed CF success signal) using temporary credentials to launch sceptre and set sceptre_role to another role to actually launch the stack.

Expected behaviour

sceptre should successfully create the stack.

Actual behaviour

sceptre fails after 1 hour with
"An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired"

Sceptre v1 would remove an expired session and create a new one as per
de616e4

@zaro0508
Copy link
Contributor

zaro0508 commented May 6, 2024

Can the sceptre 1 feature be pulled into sceptre 4?

If someone cares to create a PR for this it will definitely be considered for inclusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants