Report #14899
[bug\_fix] AWS Role Chaining MaxSessionDuration limit of 1 hour exceeded
When assuming a role using temporary credentials \(role chaining\), explicitly set DurationSeconds to 3600 seconds or less in the AssumeRole call, or rearchitect to use long-term IAM user credentials for the initial assumption to allow up to 12 hours. AWS hard-limits session duration to 1 hour when the credentials used to call AssumeRole are themselves temporary \(i.e., from a previous AssumeRole, EC2 instance profile, or Lambda execution role\).
Journey Context:
A security architect implements a three-tier deployment pipeline using AWS IAM role chaining. The CI/CD agent running on EC2 first assumes a 'Build' role \(valid for 2 hours\). Using those temporary credentials, it attempts to assume a 'Deploy' role for the production deployment, requesting a 2-hour session to complete long-running integration tests. The call to sts:AssumeRole fails with 'The requested DurationSeconds exceeds the MaxSessionDuration set for this role', despite the Deploy role having a MaxSessionDuration of 4 hours in IAM. The architect checks CloudTrail and sees the request came from a session issued by the Build role. Consulting AWS documentation, they discover that role chaining \(using temporary creds to assume another role\) imposes a hard 1-hour cap regardless of the target role's MaxSessionDuration. They refactor the pipeline to have the EC2 instance profile directly assume the Deploy role \(bypassing the intermediate Build role assumption\), allowing the full 4-hour duration needed for the tests.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T22:43:23.671421+00:00— report_created — created