Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RDS generate-db-auth-token can generated expired token if your main token has expired #4613

Closed
pserrano opened this issue Oct 25, 2019 · 4 comments
Closed

RDS generate-db-auth-token can generated expired token if your main token has expired #4613

pserrano opened this issue Oct 25, 2019 · 4 comments
Labels
closed-for-staleness feature-request A feature should be added or improved.

Comments

@pserrano
Copy link

pserrano commented Oct 25, 2019
edited
Loading

Hello everyone,

I will try to expose my case here. I usually login to a few accounts with a expired time, like 4 hours each main token. When this time passed in your session, you can generate a "expired" token to login in RDS IAM when you are executing this command:

  aws rds generate-db-auth-token \
   --hostname the-rds-server \
   --port 3306 \
   --region eu-central-1 \
   --username username

And this command generates the password/token but isn't valid because your session has gone.

Is there any possibility to avoid this or do an error message?

I think it's very useful to get a error to don't waste a time looking for the error. In another services you get a error like:

aws s3api get-bucket-policy --bucket demo-bucked
An error occurred (ExpiredToken) when calling the GetBucketPolicy operation: The provided token has expired.

I hope that you can fix it. Thanks
@pserrano pserrano changed the title RDS generate-db-auth-token can generated expired token if your main token has been expired RDS generate-db-auth-token can generated expired token if your main token has expired Oct 25, 2019
@joguSD
Copy link
Contributor

joguSD commented Oct 30, 2019

While I could definitely see how this could be useful, I don't know if there's a way for us to know if an arbitrary set of credentials has expired or not without making an API call. Perhaps we could do an STS GetCallerIdentity call to sanity check the credentials before using them to generate this but it would have to be behind a flag / options for sure...

How are you getting these temporary credentials? Perhaps using a different credential provider you could avoid using expired credentials?

Alternatively, you could just have a script do an aws sts get-caller-identity call before the token generation.

@joguSD joguSD added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Oct 30, 2019
@pserrano
Copy link
Author

Hi, thanks for your reply.

I am using onelogin with saml config to login into aws, and this generate tokens for 4 hours. Anyway i could do a workaround to my script, but sounds strange that aws s3 have this kind of control and aws rds doesn't. i think this could be useful like aws s3 ExpiredToken control.

@no-response no-response bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Oct 31, 2019
@willfarrell willfarrell mentioned this issue Dec 3, 2019
Closed
@kdaily kdaily added the feature-request A feature should be added or improved. label Aug 31, 2020
@pserrano
Copy link
Author

Any ETA?

@github-actions
Copy link

Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jun 10, 2022
@aBurmeseDev aBurmeseDev mentioned this issue Oct 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed-for-staleness feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kdaily @pserrano @joguSD