Allow ability to set max_session_duration for alks_iamtrustrole #43
Comments
|
The Internal Tools team has discussed this some - given that the current default of 1 hr could be extended up to 12 hr, we think that it would be good for Security to take a peek at this to ensure there aren't any concerns there, especially in the context of L2 accounts. We would appreciate some additional context behind the request and the use case it represents - what is the use case you're intending to use this for? |
|
@aaron-seitz any news on this? I have a team that runs a script in jenkins to refresh our elasticsearch index. This process takes multiple hours to run. In order to do it we need the bento role attached. Increasing the time limit will allow for the script to finish before losing access to the prod account. |
|
@aaron-seitz it's been a while. A few roles that get created through terraform might have sessions where they need a few hours to run. For example roles attached to ci/cd that run migrations that take a few hours. Currently teams can workaround by manually updating the max session. This is less than ideal cause if we decided to recreate the role someone has to remember to manually update it. What security concerns do you have if roles can be updated now manually with max_session_duration? |
I would like to manage the max_sessions_duration of a iam role through terraform. This is supported in the native aws provider. Is this something we can add?
The text was updated successfully, but these errors were encountered: