-
-
Notifications
You must be signed in to change notification settings - Fork 12
Closed
Labels
bugSomething isn't workingSomething isn't working
Description
The s3-credentials.AmazonS3FullAccess
role created by this tool turns out to have MaxSessionDuration
of 3600 - which means that if it is used with the -d
option to create time limited credentials an error will be shown unless that duration is less than one hour.
This code here:
s3-credentials/s3_credentials/cli.py
Lines 830 to 858 in db90d36
def ensure_s3_role_exists(iam, sts): | |
"Create s3-credentials.AmazonS3FullAccess role if not exists, return ARN" | |
role_name = "s3-credentials.AmazonS3FullAccess" | |
account_id = sts.get_caller_identity()["Account"] | |
try: | |
role = iam.get_role(RoleName=role_name) | |
return role["Role"]["Arn"] | |
except iam.exceptions.NoSuchEntityException: | |
create_role_response = iam.create_role( | |
Description=( | |
"Role used by the s3-credentials tool to create time-limited " | |
"credentials that are restricted to specific buckets" | |
), | |
RoleName=role_name, | |
AssumeRolePolicyDocument=json.dumps( | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::{}:root".format(account_id) | |
}, | |
"Action": "sts:AssumeRole", | |
} | |
], | |
} | |
), | |
) |
Metadata
Metadata
Assignees
Labels
bugSomething isn't workingSomething isn't working