I am setting up our AWS to have multiple accounts, with our IAM users defined in one account and our resources defined in one or more other accounts, with policies set up to allow users to assume roles on the production and staging accounts. I am using this Coinbase blog postas a guide. In a nutshell, the approach is to call aws sts get-session-token to get temporary credentials (you have to do this if you use MFA), and then use those credentials to call assume-role for the role you want.
However, it appears that you can't assume-role with a duration any longer than an hour using temporary credentials. When I run this:
aws sts assume-role --role-arn arn:aws:iam::<REDACTED>:role/power-user --role-session-name my_session --duration <DURATION>
If I use a duration any longer than an hour, I get this error:
An error occurred (ValidationError) when calling the AssumeRole operation: The requested DurationSeconds exceeds the 1 hour session limit for roles assumed by role chaining.
This will be a hard sell for my dev team if they have to enter their MFA tokens once an hour. Is there a way to assume-role with teporary credentials that last more than an hour?
You can assume a role for 12 hours if you are using IAM long-term creds. Whereas if you are using temporary creds (e.g. from GetSessionToken API) to call AssumeRole, then you cannot assume the role for more than an hour.
I wonder why would you need to call GetSessionToken API first and not use AssumeRole API directly with MFA?