Skip to content

fix: add fallback when session duration exceeds role's MaxSessionDura…#1515

Open
shyamnalluri wants to merge 1 commit intoVersent:masterfrom
shyamnalluri:fix/max-session-duration-fallback
Open

fix: add fallback when session duration exceeds role's MaxSessionDura…#1515
shyamnalluri wants to merge 1 commit intoVersent:masterfrom
shyamnalluri:fix/max-session-duration-fallback

Conversation

@shyamnalluri
Copy link

@shyamnalluri shyamnalluri commented Feb 19, 2026
edited
Loading

Description

Fixes #1514

When the configured aws_session_duration exceeds the IAM role's MaxSessionDuration, AWS STS returns a ValidationError that previously caused login to fail immediately. This PR adds graceful error handling to automatically retry with the role's configured maximum duration.

Changes

  • Added awserr import for AWS error type checking
  • Implemented detection of ValidationError with "MaxSessionDuration" message
  • Added automatic retry logic without DurationSeconds parameter
  • Added user-friendly warning and success messages

Behavior

Before

Error logging into AWS role using SAML assertion.: Error retrieving STS credentials using SAML.: ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role.

❌ Login fails completely

After

Requesting AWS credentials using SAML assertion.
Warning: Requested session duration (43200 seconds) exceeds the role's MaxSessionDuration.
Retrying with role's default/maximum session duration...
Successfully obtained credentials with role's maximum session duration.
Logged in as: arn:aws:sts::123456789012:assumed-role/MyRole/user@example.com

✅ Login succeeds with role's maximum duration

Testing

  • Tested with session duration exceeding role's max (43200s requested, role max 3600s)
  • Verified fallback retry works correctly
  • Verified user receives clear warning messages
  • Verified credentials are obtained successfully
  • Tested with session duration within role's limit (no fallback triggered)

Compatibility

  • No breaking changes
  • Backward compatible with existing configurations
  • No changes to API or configuration format

@claude
fix: add fallback when session duration exceeds role's MaxSessionDura…
bcd0d4c 
…tion

When the configured aws_session_duration exceeds the IAM role's
MaxSessionDuration, AWS STS returns a ValidationError. Previously,
this would cause login to fail immediately.

This commit adds error handling to detect this specific ValidationError
and automatically retry the AssumeRoleWithSAML call without the
DurationSeconds parameter, allowing AWS to use the role's configured
maximum duration.

Changes:
- Import aws/awserr for error type checking
- Detect ValidationError with MaxSessionDuration message
- Retry without DurationSeconds on detection
- Log warning and success messages for user clarity

Fixes Versent#1514

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ValidationError when session duration exceeds role's MaxSessionDuration causes login failure

1 participant

@shyamnalluri