Can I increase the duration of the IAM role chaining session?

2 minute read
0

I used the AssumeRole API with temporary credentials to assume an AWS Identity and Access Management (IAM) role. However, I received an error similar to the following: "The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining."

Resolution

To assume a role that has temporary security credentials, use the AWS Command Line Interface (AWS CLI) with role chaining. Role chaining limits your AWS CLI or AWS API role session to a maximum of 1 hour. You can't increase the session duration. The 1-hour maximum duration applies only to the AWS CLI and API.

For more information about role chaining, see the role chaining section in Roles terms and concepts.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the following best practices with role chaining:

  • When the DurationSeconds parameter value for the temporary credentials is greater than 1 hour, the operation fails.
  • The AWS Management Console doesn't support role chaining. To get a role's temporary credentials, use the switch role feature in the AWS Management Console. The AWS Management Console uses the credentials of the IAM or federated user to switch to another role.
  • Users that use Multi-Factor Authentication (MFA) with the AWS CLI use temporary credentials to assume another role. The temporary credentials use the AWS STS GetSessionToken API and are limited to 1 hour.
  • If you use role chaining to assume Role B for the same AWS account as Role A, then assign additional permissions to Role A. The additional permissions for Role A avoid role chaining into Role B.

Related information

Troubleshooting IAM and Amazon Elastic Compute Cloud (Amazon EC2)