Can I increase the IAM role chaining session duration limit?

Last updated: 2021-04-16

I used the AssumeRole API to assume an AWS Identity and Access Management (IAM) role using temporary credentials, but I received an error similar to the following:

"The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining".

Short description

You can use role chaining to assume a role with temporary security credentials using the AWS Command Line Interface (AWS CLI). For more information, see the role chaining section in roles terms and concepts.

Note: Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can't be increased. For more information, see Roles terms and concepts.

Resolution

Use the following best practices with role chaining:

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

  • The operation fails if the DurationSeconds parameter value for the temporary credentials is greater than one hour.
  • The role chaining one hour limit only applies to the AWS CLI or API.
  • The AWS Management Console doesn't support role chaining. You can use the switch role feature in the Console to get a role's temporary credentials. The Console uses the credentials of the IAM or federated user to switch to another role. For more information, see switching to a role (console).
  • Multi-Factor Authentication (MFA) users with the AWS CLI use temporary credentials to assume another role. The temporary credentials use the AWS STS GetSessionToken API and are limited to one hour.
  • If role chaining is used to assume Role B for the same AWS account as Role A, then assign additional permissions to Role A to avoid role chaining into Role B.

Did this article help?


Do you need billing or technical support?