From bcd0d4c7176810b2a1381f3096d0a7ace9402504 Mon Sep 17 00:00:00 2001
From: Nalluri Shyam <nshyam+GHX@ghx.com>
Date: Thu, 19 Feb 2026 16:39:16 +0530
Subject: [PATCH] fix: add fallback when session duration exceeds role's
 MaxSessionDuration

When the configured aws_session_duration exceeds the IAM role's
MaxSessionDuration, AWS STS returns a ValidationError. Previously,
this would cause login to fail immediately.

This commit adds error handling to detect this specific ValidationError
and automatically retry the AssumeRoleWithSAML call without the
DurationSeconds parameter, allowing AWS to use the role's configured
maximum duration.

Changes:
- Import aws/awserr for error type checking
- Detect ValidationError with MaxSessionDuration message
- Retry without DurationSeconds on detection
- Log warning and success messages for user clarity

Fixes #1514

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 cmd/saml2aws/commands/login.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/cmd/saml2aws/commands/login.go b/cmd/saml2aws/commands/login.go
index 986c42e2b..df3a0466b 100644
--- a/cmd/saml2aws/commands/login.go
+++ b/cmd/saml2aws/commands/login.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/pkg/errors"
@@ -393,7 +394,25 @@ func loginToStsUsingRole(account *cfg.IDPAccount, role *saml2aws.AWSRole, samlAs
 
 	resp, err := svc.AssumeRoleWithSAML(params)
 	if err != nil {
-		return nil, errors.Wrap(err, "Error retrieving STS credentials using SAML.")
+		// Check if the error is due to exceeding MaxSessionDuration
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "ValidationError" && strings.Contains(awsErr.Message(), "MaxSessionDuration") {
+				log.Printf("Warning: Requested session duration (%d seconds) exceeds the role's MaxSessionDuration.", account.SessionDuration)
+				log.Println("Retrying with role's default/maximum session duration...")
+
+				// Retry without DurationSeconds - AWS will use the role's MaxSessionDuration
+				params.DurationSeconds = nil
+				resp, err = svc.AssumeRoleWithSAML(params)
+				if err != nil {
+					return nil, errors.Wrap(err, "Error retrieving STS credentials using SAML (retry with default duration).")
+				}
+				log.Println("Successfully obtained credentials with role's maximum session duration.")
+			} else {
+				return nil, errors.Wrap(err, "Error retrieving STS credentials using SAML.")
+			}
+		} else {
+			return nil, errors.Wrap(err, "Error retrieving STS credentials using SAML.")
+		}
 	}
 
 	return &awsconfig.AWSCredentials{