A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/segmentio/aws-okta/commit/4e5f146f9c8bf53add179cb27882b3bcd27b4a02 below:

Support "session_ttl" config param in every command (#251) (#255) · segmentio/aws-okta@4e5f146 · GitHub

This repository was archived by the owner on May 18, 2021. It is now read-only.

File tree Expand file treeCollapse file tree 6 files changed

+61

-21

lines changed

Filter options

Expand file treeCollapse file tree 6 files changed

+61

-21

lines changed Original file line number Diff line number Diff line change

@@ -50,7 +50,7 @@ Usage:

 50 50

aws-okta exec <profile> -- <command>

 51 51 52 52

Flags:

 53 -

-a, --assume-role-ttl duration Expiration time for assumed role (default 15m0s)

 53 +

-a, --assume-role-ttl duration Expiration time for assumed role (default 1h0m0s)

 54 54

-h, --help help for exec

 55 55

-t, --session-ttl duration Expiration time for okta role session (default 1h0m0s)

 56 56

@@ -147,9 +147,14 @@ role_arn = arn:aws:iam::<account-id>:role/<okta-role-name>

 147 147

okta_account_name = account-b

 148 148

```

 149 149 150 -

#### Configuring Okta session and AWS assume role TTLs

 150 +

#### Configuring Okta assume role and AWS assume role TTLs

 151 151 152 -

The default TTLs for both Okta sessions and AWS assumed roles is 1 hour. This means that aws-okta will re-authenticate to Okta and AWS credentials will expire every hour. In addition to specifying the Okta session and AWS assume role TTLs with the command-line flags, they can be set using the `AWS_SESSION_TTL` and `AWS_ASSUME_ROLE_TTL` environment variables respectively.

 152 +

The default TTLs for both the initial SAML assumed role and secondary AWS assumed roles are 1 hour. This means that AWS credentials will expire every hour.

 153 + 154 +

* *session-ttl*: Duration of initial role assumed by Okta

 155 +

* *assume-role-ttl*: Duration of second role assumed

 156 + 157 +

In addition to specifying session and AWS assume role TTLs with command-line flags, they can be set using environment variables.

 153 158 154 159

```bash

 155 160

export AWS_SESSION_TTL=1h

@@ -159,10 +164,15 @@ export AWS_ASSUME_ROLE_TTL=1h

 159 164

The AWS assume role TTL can also be set per-profile in the aws config:

 160 165 161 166

```ini

 162 -

# example with a role that's configured with a max session duration of 12 hours

 167 +

# Example with an initial and secondary role that are configured with a max session duration of 12 hours

 163 168

[profile ttldemo]

 164 169

aws_saml_url = home/amazon_aws/cuZGoka9dAIFcyG0UllG/214

 165 170

role_arn = arn:aws:iam::<account-id>:role/<okta-role-name>

 171 +

session_ttl = 12h

 172 + 173 +

[profile ttldemo-role]

 174 +

source_profile = ttldemo

 175 +

role_arn = arn:aws:iam::<account-id>:role/<secondary-role-name>

 166 176

assume_role_ttl = 12h

 167 177

```

 168 178 Original file line number Diff line number Diff line change

@@ -62,10 +62,16 @@ func credProcessRun(cmd *cobra.Command, args []string) error {

 62 62 63 63

updateMfaConfig(cmd, profiles, profile, &mfaConfig)

 64 64 65 -

// check for an assume_role_ttl in the profile if we don't have a more explicit one

 65 +

// check profile for both session durations if not explicitly set

 66 66

if !cmd.Flags().Lookup("assume-role-ttl").Changed {

 67 -

if err := updateDurationFromConfigProfile(profiles, profile, &assumeRoleTTL); err != nil {

 68 -

fmt.Fprintln(os.Stderr, "warning: could not parse duration from profile config")

 67 +

if err := updateDurationFromConfigProfile(profiles, profile, "assume_role_ttl", &assumeRoleTTL); err != nil {

 68 +

fmt.Fprintln(os.Stderr, "warning: could not parse assume_role_ttl from profile config")

 69 +

}

 70 +

}

 71 + 72 +

if !cmd.Flags().Lookup("session-ttl").Changed {

 73 +

if err := updateDurationFromConfigProfile(profiles, profile, "session_ttl", &sessionTTL); err != nil {

 74 +

fmt.Fprintln(os.Stderr, "warning: could not parse session_ttl from profile config")

 69 75

}

 70 76

}

 71 77 Original file line number Diff line number Diff line change

@@ -50,10 +50,16 @@ func envRun(cmd *cobra.Command, args []string) error {

 50 50 51 51

updateMfaConfig(cmd, profiles, profile, &mfaConfig)

 52 52 53 -

// check for an assume_role_ttl in the profile if we don't have a more explicit one

 53 +

// check profile for both session durations if not explicitly set

 54 54

if !cmd.Flags().Lookup("assume-role-ttl").Changed {

 55 -

if err := updateDurationFromConfigProfile(profiles, profile, &assumeRoleTTL); err != nil {

 56 -

fmt.Fprintln(os.Stderr, "warning: could not parse duration from profile config")

 55 +

if err := updateDurationFromConfigProfile(profiles, profile, "assume_role_ttl", &assumeRoleTTL); err != nil {

 56 +

fmt.Fprintln(os.Stderr, "warning: could not parse assume_role_ttl from profile config")

 57 +

}

 58 +

}

 59 + 60 +

if !cmd.Flags().Lookup("session-ttl").Changed {

 61 +

if err := updateDurationFromConfigProfile(profiles, profile, "session_ttl", &sessionTTL); err != nil {

 62 +

fmt.Fprintln(os.Stderr, "warning: could not parse session_ttl from profile config")

 57 63

}

 58 64

}

 59 65 Original file line number Diff line number Diff line change

@@ -83,8 +83,8 @@ func loadStringFlagFromEnv(cmd *cobra.Command, flagName string, envVar string, v

 83 83

return nil

 84 84

}

 85 85 86 -

func updateDurationFromConfigProfile(profiles lib.Profiles, profile string, val *time.Duration) error {

 87 -

fromProfile, _, err := profiles.GetValue(profile, "assume_role_ttl")

 86 +

func updateDurationFromConfigProfile(profiles lib.Profiles, profile string, key string, val *time.Duration) error {

 87 +

fromProfile, _, err := profiles.GetValue(profile, key)

 88 88

if err != nil {

 89 89

return nil

 90 90

}

@@ -150,10 +150,16 @@ func execRun(cmd *cobra.Command, args []string) error {

 150 150 151 151

updateMfaConfig(cmd, profiles, profile, &mfaConfig)

 152 152 153 -

// check for an assume_role_ttl in the profile if we don't have a more explicit one

 153 +

// check profile for both session durations if not explicitly set

 154 154

if !cmd.Flags().Lookup("assume-role-ttl").Changed {

 155 -

if err := updateDurationFromConfigProfile(profiles, profile, &assumeRoleTTL); err != nil {

 156 -

fmt.Fprintln(os.Stderr, "warning: could not parse duration from profile config")

 155 +

if err := updateDurationFromConfigProfile(profiles, profile, "assume_role_ttl", &assumeRoleTTL); err != nil {

 156 +

fmt.Fprintln(os.Stderr, "warning: could not parse assume_role_ttl from profile config")

 157 +

}

 158 +

}

 159 + 160 +

if !cmd.Flags().Lookup("session-ttl").Changed {

 161 +

if err := updateDurationFromConfigProfile(profiles, profile, "session_ttl", &sessionTTL); err != nil {

 162 +

fmt.Fprintln(os.Stderr, "warning: could not parse session_ttl from profile config")

 157 163

}

 158 164

}

 159 165 Original file line number Diff line number Diff line change

@@ -72,10 +72,16 @@ func loginRun(cmd *cobra.Command, args []string) error {

 72 72 73 73

updateMfaConfig(cmd, profiles, profile, &mfaConfig)

 74 74 75 -

// check for an assume_role_ttl in the profile if we don't have a more explicit one

 75 +

// check profile for both session durations if not explicitly set

 76 76

if !cmd.Flags().Lookup("assume-role-ttl").Changed {

 77 -

if err := updateDurationFromConfigProfile(profiles, profile, &assumeRoleTTL); err != nil {

 78 -

fmt.Fprintln(os.Stderr, "warning: could not parse duration from profile config")

 77 +

if err := updateDurationFromConfigProfile(profiles, profile, "assume_role_ttl", &assumeRoleTTL); err != nil {

 78 +

fmt.Fprintln(os.Stderr, "warning: could not parse assume_role_ttl from profile config")

 79 +

}

 80 +

}

 81 + 82 +

if !cmd.Flags().Lookup("session-ttl").Changed {

 83 +

if err := updateDurationFromConfigProfile(profiles, profile, "session_ttl", &sessionTTL); err != nil {

 84 +

fmt.Fprintln(os.Stderr, "warning: could not parse session_ttl from profile config")

 79 85

}

 80 86

}

 81 87 Original file line number Diff line number Diff line change

@@ -56,10 +56,16 @@ func writeToCredentialsRun(cmd *cobra.Command, args []string) error {

 56 56 57 57

updateMfaConfig(cmd, profiles, profile, &mfaConfig)

 58 58 59 -

// check for an assume_role_ttl in the profile if we don't have a more explicit one

 59 +

// check profile for both session durations if not explicitly set

 60 60

if !cmd.Flags().Lookup("assume-role-ttl").Changed {

 61 -

if err := updateDurationFromConfigProfile(profiles, profile, &assumeRoleTTL); err != nil {

 62 -

fmt.Fprintln(os.Stderr, "warning: could not parse duration from profile config")

 61 +

if err := updateDurationFromConfigProfile(profiles, profile, "assume_role_ttl", &assumeRoleTTL); err != nil {

 62 +

fmt.Fprintln(os.Stderr, "warning: could not parse assume_role_ttl from profile config")

 63 +

}

 64 +

}

 65 + 66 +

if !cmd.Flags().Lookup("session-ttl").Changed {

 67 +

if err := updateDurationFromConfigProfile(profiles, profile, "session_ttl", &sessionTTL); err != nil {

 68 +

fmt.Fprintln(os.Stderr, "warning: could not parse session_ttl from profile config")

 63 69

}

 64 70

}

 65 71

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4