Can I increase the IAM role chaining session duration limit?
Last updated: 2021-04-16
I used the AssumeRole API to assume an AWS Identity and Access Management (IAM) role using temporary credentials, but I received an error similar to the following:
"The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining".
You can use role chaining to assume a role with temporary security credentials using the AWS Command Line Interface (AWS CLI). For more information, see the role chaining section in roles terms and concepts.
Note: Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can't be increased. For more information, see Roles terms and concepts.
Use the following best practices with role chaining:
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
- The operation fails if the DurationSeconds parameter value for the temporary credentials is greater than one hour.
- The role chaining one hour limit only applies to the AWS CLI or API.
- The AWS Management Console doesn't support role chaining. You can use the switch role feature in the Console to get a role's temporary credentials. The Console uses the credentials of the IAM or federated user to switch to another role. For more information, see switching to a role (console).
- Multi-Factor Authentication (MFA) users with the AWS CLI use temporary credentials to assume another role. The temporary credentials use the AWS STS GetSessionToken API and are limited to one hour.
- If role chaining is used to assume Role B for the same AWS account as Role A, then assign additional permissions to Role A to avoid role chaining into Role B.