Can we make MFA session tokens expire in less than 12 hours? #2177

gerrymiller · 2016-09-19T13:09:02Z

We are using IAM roles with CLI, as described in this article, by setting our ~/.aws/config file to look something like this:

[profile poweruser]
role_arn = arn:aws:iam::111111111111:role/PowerUser
source_profile = default
mfa_serial = arn:aws:iam::111111111111:mfa/johndoe

Is there a configuration setting we can use to make the resultant session token expire in less than the default 12 hours? I know that's an option in get-session-token (using the --duration-seconds parameter) but can't figure out if this is possible when configuring AWSCLI to prompt for an MFA code.

If this is currently not possible, it would make a great new feature!

The text was updated successfully, but these errors were encountered:

JordonPhillips · 2016-09-23T16:23:12Z

There is not currently a way to set the duration-seconds of the call, but since under the hood we're using assume-role not get-session-token, the default duration is 1 hour rather than 12. I'm not sure that less than one hour is particularly useful, what do you think?

gerrymiller · 2016-09-24T00:17:07Z

That's awesome, thank you.

JordonPhillips added the needs-discussion label Sep 23, 2016

gerrymiller closed this as completed Sep 24, 2016

ajohnstone mentioned this issue Aug 4, 2017

Feature - Specify the AWS_SESSION_DURATION for MFA session tokens #2748

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can we make MFA session tokens expire in less than 12 hours? #2177

Can we make MFA session tokens expire in less than 12 hours? #2177

gerrymiller commented Sep 19, 2016

JordonPhillips commented Sep 23, 2016

gerrymiller commented Sep 24, 2016

Can we make MFA session tokens expire in less than 12 hours? #2177

Can we make MFA session tokens expire in less than 12 hours? #2177

Comments

gerrymiller commented Sep 19, 2016

JordonPhillips commented Sep 23, 2016

gerrymiller commented Sep 24, 2016