s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours

The `s3-credentials.AmazonS3FullAccess` role created by this tool turns out to have `MaxSessionDuration` of 3600 - which means that if it is used with the `-d` option to create time limited credentials an error will be shown unless that duration is less than one hour.

This code here:

https://github.com/simonw/s3-credentials/blob/db90d36ddcc3b13433712991d0743bc60ebe05cb/s3_credentials/cli.py#L830-L858


	def ensure_s3_role_exists(iam, sts):
	"Create s3-credentials.AmazonS3FullAccess role if not exists, return ARN"
	role_name = "s3-credentials.AmazonS3FullAccess"
	account_id = sts.get_caller_identity()["Account"]
	try:
	role = iam.get_role(RoleName=role_name)
	return role["Role"]["Arn"]
	except iam.exceptions.NoSuchEntityException:
	create_role_response = iam.create_role(
	Description=(
	"Role used by the s3-credentials tool to create time-limited "
	"credentials that are restricted to specific buckets"
	),
	RoleName=role_name,
	AssumeRolePolicyDocument=json.dumps(
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::{}:root".format(account_id)
	},
	"Action": "sts:AssumeRole",
	}
	],
	}
	),
	)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours #75

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours #75

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions