s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours

[simonw]

The s3-credentials.AmazonS3FullAccess role created by this tool turns out to have MaxSessionDuration of 3600 - which means that if it is used with the -d option to create time limited credentials an error will be shown unless that duration is less than one hour.

This code here:

s3-credentials/s3_credentials/cli.py

Lines 830 to 858 in db90d36

	def ensure_s3_role_exists(iam, sts):
	"Create s3-credentials.AmazonS3FullAccess role if not exists, return ARN"
	role_name = "s3-credentials.AmazonS3FullAccess"
	account_id = sts.get_caller_identity()["Account"]
	try:
	role = iam.get_role(RoleName=role_name)
	return role["Role"]["Arn"]
	except iam.exceptions.NoSuchEntityException:
	create_role_response = iam.create_role(
	Description=(
	"Role used by the s3-credentials tool to create time-limited "
	"credentials that are restricted to specific buckets"
	),
	RoleName=role_name,
	AssumeRolePolicyDocument=json.dumps(
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::{}:root".format(account_id)
	},
	"Action": "sts:AssumeRole",
	}
	],
	}
	),
	)

[simonw]

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_role confirms that the default value is 1 hour.

[simonw]

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.update_role can be used to update the role to fix this.

[simonw]

~ % s3-credentials list-roles s3-credentials.AmazonS3FullAccess
[
  {
    "Path": "/",
    "RoleName": "s3-credentials.AmazonS3FullAccess",
    "RoleId": "AROAWXFXAIOZKX4I47KJM",
    "Arn": "arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess",
    "CreateDate": "2021-11-10 01:53:24+00:00",
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::462092780466:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {}
        }
      ]
    },
    "Description": "Role used by the s3-credentials tool to create time-limited credentials that are restricted to specific buckets",
    "MaxSessionDuration": 3600
  }
]

[simonw]

Manually tested the fix by deleting my s3-credentials.AmazonS3FullAccess role and then running this command:

 % s3-credentials create datasette-cloud-backups -d 1h                    
Assume role against arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess for 3600s
{
    "AccessKeyId": "ASIAWXFXAIOZG4XZQ54R",
    "SecretAccessKey": "...",
    "SessionToken": "F...",
    "Expiration": "2022-08-01 20:38:24+00:00"
}

So that worked as expected - the role has 12 hours now.

[simonw]

If you are affected by this bug you can fix the role manually by going here:

https://console.aws.amazon.com/iamv2/home#/roles/details/s3-credentials.AmazonS3FullAccess?section=permissions

And clicking the "Edit" button.