Can I increase the IAM role chaining session duration limit?
Last updated: 2020-12-09
I used the AssumeRole API to assume an AWS Identity and Access Management (IAM) role using temporary credentials and received an error similar to the following:
"The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining".
You can use role chaining to assume a role with temporary security credentials using the AWS Command Line Interface (AWS CLI). For more information, see the role chaining section in roles terms and concepts.
Use the following best practices with role chaining:
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
- The operation fails if the DurationSeconds parameter value for the temporary credentials is greater than one hour.
- The role chaining one hour limit only applies to the AWS CLI or API.
- The AWS Console doesn't support role chaining. You can use the switch role feature in the AWS Console to get a role's temporary credentials. The AWS Console uses the credentials of the IAM or federated user to switch to another role. For more information, see switching to a role (console).
- Multi-Factor Authentication (MFA) users with the AWS CLI use temporary credentials to assume another role. The temporary credentials use the AWS STS GetSessionToken API and are limited to one hour.
- If role chaining is used to assume Role B for the same AWS account as Role A, then assign permissions to Role A to avoid the one hour limit. If role chaining is used with a different AWS account, then the session duration limit is one hour.