diff --git a/components/gitpod-cli/cmd/idp-login-aws.go b/components/gitpod-cli/cmd/idp-login-aws.go index 976d55edd2cb2c..df5b3d5d86405f 100644 --- a/components/gitpod-cli/cmd/idp-login-aws.go +++ b/components/gitpod-cli/cmd/idp-login-aws.go @@ -21,18 +21,23 @@ const ( ) var idpLoginAwsOpts struct { - RoleARN string - Profile string + RoleARN string + Profile string + DurationSeconds int } var idpLoginAwsCmd = &cobra.Command{ Use: "aws", Short: "Login to AWS", + Long: "Obtains credentials to access AWS. The command delegates to `aws sts assume-role-with-web-identity`, see https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html for more details.", RunE: func(cmd *cobra.Command, args []string) error { cmd.SilenceUsage = true if idpLoginAwsOpts.RoleARN == "" { return fmt.Errorf("missing --role-arn or IDP_AWS_ROLE_ARN env var") } + if idpLoginAwsOpts.DurationSeconds <= 0 { + return fmt.Errorf("invalid --duration-seconds: %d, must be a positive integer", idpLoginAwsOpts.DurationSeconds) + } ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second) defer cancel() @@ -47,7 +52,12 @@ var idpLoginAwsCmd = &cobra.Command{ return err } - awsCmd := exec.Command("aws", "sts", "assume-role-with-web-identity", "--role-arn", idpLoginAwsOpts.RoleARN, "--role-session-name", fmt.Sprintf("%s-%d", wsInfo.WorkspaceId, time.Now().Unix()), "--web-identity-token", tkn) + awsCmd := exec.Command("aws", "sts", "assume-role-with-web-identity", + "--role-arn", idpLoginAwsOpts.RoleARN, + "--role-session-name", fmt.Sprintf("%s-%d", wsInfo.WorkspaceId, time.Now().Unix()), + "--web-identity-token", tkn, + "--duration-seconds", fmt.Sprintf("%d", idpLoginAwsOpts.DurationSeconds), + ) out, err := awsCmd.CombinedOutput() if err != nil { return fmt.Errorf("%w: %s", err, string(out)) @@ -87,5 +97,6 @@ func init() { idpLoginAwsCmd.Flags().StringVar(&idpLoginAwsOpts.RoleARN, "role-arn", os.Getenv("IDP_AWS_ROLE_ARN"), "AWS role to assume (defaults to IDP_AWS_ROLE_ARN env var)") idpLoginAwsCmd.Flags().StringVarP(&idpLoginAwsOpts.Profile, "profile", "p", "default", "AWS profile to configure") + idpLoginAwsCmd.Flags().IntVarP(&idpLoginAwsOpts.DurationSeconds, "duration-seconds", "d", 3600, "Duration in seconds for which the credentials will be valid (defaults to 3600), upper bound is controlled by the AWS maximum session duration. See https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html") _ = idpLoginAwsCmd.MarkFlagFilename("profile") }